OAIC Told to Investigate HealthEngine's Sharing Client Data with Lawyers

Posted on June 25, 2018
Riviera Beach Pays Nearly $600K to Recover Data after Ransomware Attack
The Office of the Australian Information Commissioner (OAIC) received instructions to investigate HealthEngine's practice of sharing clients' personal information with lawyers. According to the Australian Broadcasting Corporation (ABC), a spokesperson for Australia's health minister Gregory Andrew Hunt confirmed that that OAIC and the Australian Digital Health Agency had both received instructions to look into the data-sharing procedures of HealthEngine. Australia's largest online doctor appointment booking service, HealthEngine asks users to provide details of their symptoms and medical condition when looking to see a general practitioner or other medical professional. It also requests users whether they acquired their medical condition through a workplace injury. The service then in some circumstances passes this data on to Slater and Gordon, an Australian personal injury compensation law firm which may then follow up with patients about the possibility of initiating legal action. ABC's reporting revealed that Slater and Gordon received information on 200 HealthEngine clients a month between March and August in 2017. 40 of those clients became clients with the law firm, representing a total of $500,000 in legal fees. Sharon was one of the people whom Slater and Gordon contacted. She shared her experience with ABC:
They wanted to ascertain whether I had sought advice from a personal injury lawyer — and I said no. They wanted to know why, and started to talk about ball park figures that I might be entitled to. It was quite intrusive — but they were very persistent. I had no idea that by putting anything in HealthEngine it would go any further than the medical professional I was making the appointment with.
In its privacy policy, HealthEngine explained it does retain the right to disclose information with third-party service providers including lawyers "but only for the purpose of providing goods or services to us. Some of these software services allow us to advise you of certain services and benefits available to you." The booking service wrote on Twitter that it gains clients' consent to these types of referrals on an opt-in basis by using a pop-up window that appears during the booking process. https://twitter.com/healthengine/status/1011068955224444928 HealthEngine noted in a statement that those who don't opt in are still allowed to use its booking services. Along with Slater and Gordon, the online booking platform declined interview requests from ABC. News of these investigations follow less than a month after it became known that scammers targeted customers of the travel e-commerce company with phishing messages designed to steal their sensitive financial information.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!