Shared data an ‘abuse of trust’

James Riley
Editorial Director

A review has been launched into a Perth startup’s practice of sharing its users’ medical information with law firms, with doctors and civil rights advocates labelling it an “abuse of trust”.

ABC News revealed on Monday that Perth-based tech firm HealthEngine had been sharing hundreds of users’ private medical information with law firms seeking personal injury claims as part of a “referral partnership pilot”.

The company has said that this was only done with the user’s “express consent”, but ABC News reported that it was only included in a separate “collection statement” that a user has to accept in order to use the service.

Marcus Tan: HealthEngine consent referrals voluntary and opt-in

The Office of the Australian Information Commissioner, along with Australian Digital Health Agency, launched a review of HealthEngine’s data-sharing practices late on Monday.

“The OAIC is aware of media reports regarding the app HealthEngine and is making enquiries with HealthEngine about the details of those reports,” an OAIC spokesperson told

HealthEngine is Australia’s biggest online health marketplace, allowing users to book medical appointments through its app. It has 1.5 million monthly users and 15 million annual users and is part-owned by Telstra and SevenWest Media.

When making an account or appointment, the app asks users to enter information on their symptoms and previous medical conditions, including workplace injuries or traffic accidents. The ABC reported that this information was then passed on to law firms who were looking to launch personal injury claims.

HealthEngine responded to the report on Monday, saying that consent for the data-sharing was obtained via a “simple pop-up form at the time of booking”.

“Consent to these referrals is entirely voluntary and opt-in, and we do not provide any personal information for the purposes of a referral without this consent.

“These referral services are provided as a value-add to our users who opt-in to the service, in order to help them access services they request at relevant stages of their health journey,” HealthEngine CEO Marcus Tan said in a statement.

“I would like to reassure users that HealthEngine does not provide any personal information to third parties without the express consent of the affected user or in those circumstances described in our privacy policy.”

The data-sharing practice was widely criticised by doctors, lawyers and digital and civil rights advocates.

Electronic Frontiers Australia board member Justin Warren said Australia’s laws need to be changed to stamp out practices like this.

“If this ethically dubious behaviour is technically legal, then Australia’s privacy legislation must be changed. People have made it clear time and time again that information about their health is extremely personal and private and they expect it to be kept secure, not shared with all and sundry. I cannot understand how any doctor would allow their patients’ trust to be abused in this way,” Mr Warren said.

Startups and tech companies need to understand the importance of keeping health data secure, Future Wise health spokesperson Trent Yarwood said.

“Making access to healthcare easier for people is critical. However, practice managers and healthcare professionals must understand the privacy implications of how they do this. Too many services are set up with the primary aim of selling personal data to advertisers and providing ‘convenient’ services to people purely as a hook to get this data,” Dr Yarwood said.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories