Health Engine Patient Data scandal; what should you do next?



After a recent national patient data breaches headlines ….

‘Scandal-hit HealthEngine axes third party referrals, patient reviews’


‘HealthEngine app announces ‘major changes’ after doctor and patient backlash’

This important article comes from an independent law firm Peripheral Blue. 

Now is a good time to consider what you need to do.

Even amidst the (almost daily) barrage of data breach headlines, the reports about the data sharing practices of HealthEngine and other providers have generated an enormous amount of publicity.

According to reports, HealthEngine has sold personal health data, collected via its online medical appointment booking service, to law firms who have used it to contact prospective clients for personal injury matters.

The public outcry about these revelations demonstrates just how protective people feel about their health information. As health service providers, patients view their medical practices as the custodians of their health data, even where that data is actually being processed by a third party. In fact, patients may be surprised at how many third parties have access to their personal information as part of the service they receive from their GP.

For this reason, health information has stringent protection under the Australian Privacy Principles, including restrictions around its disclosure for secondary purposes. The commencement of the new Notifiable Data Breaches scheme in Australia (which can attract fines of $2.1 million for non-compliance and applies to all private sector health service providers) means that medical practices must have data protection as a key compliance focus.

For overseas patients the new European Laws may also apply!


The European Union’s strict new privacy law, the General Data Protection Regulation (‘the GDPR’), is now in place and has already had a wide-ranging global impact. The GDPR will apply to businesses outside of Europe where:

  • the business monitors the behaviour of EU data subjects and that behaviour takes place in the EU (which may include where the business uses marketing analytics technology to track behaviour); or
  • the business offers goods or services to data subjects in the EU.

Even if the GDPR does not apply to your particular practice now, increased globalisation means that it’s likely that the standards it applies will operate worldwide, as more and more businesses seek to impose their data protection obligations within contractual agreements.

These changes to the data protection landscape, and the growing prevalence of data breaches, mean that being accountable for your patients’ data protection is of critical importance.

An important component of data protection accountability is to ensure that any agreements you enter into with third parties to process health data on your behalf must include personal data protection obligations. Where the GDPR applies, contracts with third-party processors should contain specific clauses required by GDPR. You should also ensure that your contracts contain appropriate protections in the event that your practice is implicated in a data breach ultimately caused by a third party that you work with. This is particularly important in light of the requirements under the Notifiable Data Breaches scheme.

Some important steps to take now are to:

  • review contracts with third-party businesses that process data on your behalf and amend them if necessary;
  • be open and transparent with patients in your privacy policy and privacy notices about all the uses and disclosures of their personal information (particularly where that information is transferred to a third party), and;
  • notify patients (and seek consent if you need to) if your uses of their personal data change.

For more information contact us.




We thank Peripheral Blue Legal for this article.

2 comments on “Health Engine Patient Data scandal; what should you do next?”

Leave a Reply