In case you haven’t seen in the media recently, the medical booking and referral app, HealthEngine has been ordered to undergo an URGENT review relating to patient data privacy breaches. The Government has instructed the Information Commissioner to investigate this issue.

As Australia’s largest doctor appointment booking system this has the potential to expose many doctors who are using this app, as well as patient information.



What is the potential breach?

As part of using the app, HealthEngine asks users to include details of their symptoms when booking appointments. When a patient indicates they are booking an appointment for a workplace or personal injury claim, HealthEngine has been selling that user’s private medical information to personal injury law firms. News reports reveal that approximately 200 patients per month have been impacted over a six month period.

You can read the full story here.


They are also being investigated for editing patient reviews!

As well as the potential patient data breach, HealthEngine also provides a review service for patients to provide feedback on doctors – this too has come under fire.

It is alleged that up to “53% of the 47,900 “positive” patient reviews on HealthEngine have been edited in some way.” HealthEngine initially defended its position claiming it only published positive reviews to support its high performing GP’s, but they have since relented and acknowledged this was potentially misleading conduct.

How do reviews and testimonial work in HealthEngine:

  1. It compares different regulated health professions even where there is no evidence on which to base the comparison and/or in a way that may mislead or deceive
  2. It claims that the services provided by a particular regulated health professional are better, or safer than others; when once again it has no basis on which to make these claims

The use of patient reviews in advertising medical services is already prohibited by the National Law. Doctors are treading in very murky water when it comes to online reviews, and AHPRA will come down hard on any medical practitioner who is seen to be “encouraging” positive reviews of their services.  As I think I’ve mentioned before – when in doubt leave it out, and in this instance, I would be very wary of using apps like HealthEngine.

You can read the full story here on the unlawful editing of patient reviews.


As a Lawyer what would I do?

If I were running a practice using HealthEngine I would seriously consider if this was the most appropriate platform for me to continue using. Aside from the misleading review and testimonial process which they are being investigated for, the recent data breach means HealthEngine can no longer claim patient data is safe. If you use this app in your practice, as a medical practitioner who is now aware of the breach – you too can no longer claim your patient data is safe.

If you are using HealthEngine – as a minimum, you are required under the new Privacy Data Breach laws to conduct an internal review to determine whether any of your patients have been impacted. As a courtesy, I suggest writing a letter to your patients letting them know of the potential breach. This provides your patients the opportunity to decide whether they continue using the app.


If you use HealthEngine and would like to discuss what are your option going forward, please feel free to get in touch for a no-cost consultation.