HealthEngine notifies users of data breach

More controversy for online health service booking system

Health service booking platform HealthEngine says it has notified the Office of the Australian Information Commissioner of a data breach affecting some of its registered users.

The breach relates to the company’s ‘Practice Recognition System’: A user review system for medical practices.

Earlier this month Fairfax Media revealed that HealthEngine had been selectively publishing positive excerpts from reviews left by the service’s users — including only positive feedback. Fairfax revealed that the full, unexpurgated feedback was visible in the source code of HealthEngine’s pages for medical practices.

Some 75 of the full PRS entries contained identifying information, HealthEngine revealed. The company said it had notified the individuals who left the reviews.

After the Fairfax report, HealthEngine said it would change how it managed the PRS feedback system.

Today it said it would temporarily pull the system from the site.

“We have removed all published patient feedback from our site while we review the HealthEngine Practice Recognition System, to ensure that hidden feedback information can no longer be accessed in this way,” the company’s CEO and founder, Dr Marcus Tan, said in a statement.

“Due to an error in the way the HealthEngine website operated, hidden patient feedback information within the code of the webpage was improperly accessed,” Tan said. “This information is ordinarily not visible to users of the site.”

“We take data security very seriously, and acted swiftly and decisively when we became aware of the breach, to identify the error and shut down the published patient feedback function of the Patient Recognition System on the website,” the statement said.

The PRS is not the only source of controversy HealthEngine is dealing with.

The company has been under fire for passing the details of some of its registered users on to compensation lawyers.

In the wake of criticism from privacy advocates and the Australian Medical Association, HealthEngine said it would “make substantial changes to its business model around advertising and referrals”.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacyhealthdata breachesOffice of the Australian Information Commissioner (OAIC)HealthEngine

More about Australian Medical AssociationFairfax Media

Show Comments