Monday 19th November 2018

Healthcare platform announces data breach, declares ‘patient feedback entries’ may have been ‘improperly accessed’

HealthEngine, a doctor appointment booking service, has announced 59,600 "patient feedback entries" may have been "improperly accessed." The announcement comes one week after the platform was accused of passing patients' personal information to a personal injury law firm.
Jason Smith
by on 2nd July 2018

HealthEngine, an online doctor appointment booking service in Australia, announced on the 29th June a data breach that may have resulted in 59,600 patient feedback entries being “improperly accessed.”

The data breach comes in the aftermath of media coverage last week that alleges HealthEngine had passed individuals’ medical information to a personal injury law firm.

HealthEngine claims the data breach occurred due to patient feedback information being made available from the source code of its web pages.

The source code of a web page is typically not visible to users without additional action, e.g. right clicking and selecting “view source” or utilizing a browser’s developer tools.

Of the 59,600 patient feedback entries that were likely exposed, HealthEngine claims only 75 contained “identifying information.” It also claims all affected individuals have been contacted.

While HealthEngine hasn’t disclosed the nature of the data accessed, it claims it didn’t contain authentication information like usernames or passwords, or any account details.

HealthEngine also states it doesn’t hold patient records and has informed Australia’s Data Protection Authority, the Office of the Australian Information Commissioner, about the breach.

In the announcement it states “no action needs to be taken by users of the website” and that it has “worked around the clock” to determine how the data was improperly obtained from its website.

As an interim measure it has removed all published patient feedback from its website until it identifies the source of the problem and why users’ data was accessed in the manner it was.

It also states the feature will not be reinstated until it’s confident the error has been fixed.

According to ABC News, HealthEngine allegedly shared patients’ personal information with personal injury law firm Slater and Gordon.

According to the report, the information was used by the law firm for the purposes of target advertising. Consequently, Australian Minister Greg Hunt has ordered an “urgent review” of the doctor appointment booking service.

Documents obtained by ABC News suggest the healthcare platform was, on average, passing around 200 clients per month to the legal firm. Of those that were passed on, ABC News claims around 40 became clients and subsequently generated legal fees of $500,000 for the law firm.

In response, HealthEngine CEO Marcus Tan states on the organization’s website that “no personal data is shared with third party providers for referral purposes without the express consent of our users.”

He goes onto state the media reports have created an “incorrect impression that the health and personal information of HealthEngine users is being widely shared with third parties without their knowledge” and that this “simply isn’t the case.”