ACCC v HealthEngine: third party disclosures, misleading reviews, and $2.9M penalties…

Snapshot

On 20 August 2020, the Federal Court handed down its orders in ACCC v HealthEngine Pty Ltd [2020] FCA 1203.

The orders confirmed that:

1. HealthEngine’s publication practices in relation to patient reviews, and its referral arrangements with third party insurance brokers, amounted to multiple contraventions of the Australian Consumer Law (ACL); and
2. these contraventions warranted the imposition of penalties of $2.9M.

These orders are significant for any organisation with consumer-facing offerings – but especially those with a digital presence and the capacity to influence consumer behaviour.  This case shines a (very bright and expensive) light on the need to provide consumers with accurate, detailed and transparent details when obtaining consents and providing information.

It’s also interesting to see the ACCC having pursued action in relation to a misleading disclosure of personal information, in circumstances where the disclosure may have technically complied with the Australian Privacy Principles and accordingly, not been pursued by the Information Commissioner.  This serves as a good reminder to ensure that consent provisions and other consumer-facing communications comply with consumer protection laws (particularly those which relate to false or misleading and deceptive conduct), as well as relevant privacy laws.

The conduct

In 2019, the ACCC initiated proceedings against HealthEngine regarding a number of alleged breaches of the Competition and Consumer Act 2010 (Cth) (CCA).

HealthEngine operates an appointment booking service (together with a related marketplace) for primary healthcare providers.

The two key practices which the ACCC took issue with were:

1. the ‘Review and Ratings Conduct’:
   HealthEngine published feedback it received from patients on its website and app in the form of “patient reviews,” however failed to communicate to consumers that it was:
   1. not publishing negative patient reviews;
   2. editing patient feedback before it was published; and
   3. in terms of ratings, publishing a “no rating” statement if less than 80% of patients said they would recommend their practitioner – indicating that there was insufficient data to provide a rating (rather than providing the actual rating); and
2. the ‘Referral Conduct’:
   HealthEngine failed to make it adequately (that is, expressly) clear to some patients that it was disclosing their personal information to third party insurance brokers. In this regard, HealthEngine:
   1. collected non-clinical personal information from patients who used the booking service;
   2. asked relevant patients if they wished to receive a phone call in relation to health insurance comparison services, or to assist them with assessing their private health insurance needs; and
   3. shared the above information with one of nine insurance brokers, however did not make it adequately clear to patients that if they said ‘yes’ to the relevant questions, their information would be shared in this way.

The Federal Court orders

The Review and Ratings Conduct:

1. was misleading and deceptive, in contravention of s 18 of the Australian Consumer Law (ACL); and
2. was false or misleading as to HealthEngine’s service being of a particular standard, quality, value or grade, in contravention of s 29(1)(b) of the ACL.

The Referral Conduct:

1. was misleading and deceptive, in contravention of s 18 of the ACL; and
2. was misleading as to the nature, characteristics and/or suitability (for its purpose) of HealthEngine’s service.

The penalties

The Federal Court ordered that, pursuant to s 224(I)(a)(ii) of the ACL, HealthEngine must pay a pecuniary penalty of $2,900,000 in respect of their contravention of sections 29 and 34 of the ACL, in four installments of:

1. $750,000 within 6 months;
2. $750,000 within one year;
3. $700,000 within 18 months; and
4. $700,000 within 24 months.

HealthEngine was also subject to non-punitive orders. These included an annual review of HealthEngine’s ACL compliance program for three years at HealthEngine’s expense, and to ensure that the review was carried out by a suitably qualified, independent compliance professional with expertise in competition and consumer law.

HealthEngine was also ordered to contact affected customers by email (all patients whose personal information was provided to the insurance broker) with the information that their personal information was provided to an insurance broker and may have included their:

1. name;
2. phone number;
3. email address;
4. date or year of birth;
5. appointment time; or
6. the type of health care professional the booking was made with.
   The email was also required to include the identity of each insurance broker to whom the personal information was provided, and to explain that HealthEngine’s conduct had been found to be in breach of the ACL.

HealthEngine was also ordered to pay ACCC’s costs of, and incidental to, the proceeding, fixed in the amount of $50,000.

Please let us know if you have any queries, or would like our assistance in reviewing any consumer-facing materials or privacy collection statements/policies in light of the above orders.