Online doctor booking service HealthEngine has been condemned in a joint statement by Future Wise, Australian Privacy Foundation and Electronic Frontiers Australia.
An ABC investigation revealed that the company, which is part owned by Telstra and SevenWest Media, had been operating a lead-generation service, passing the details of its users on to law firms in some cases.
“We do have referral arrangements in place with a range of industry partners including government, not for profit, medical research, private health insurance and other health service providers on a strictly opt-in basis,” the CEO said.
“These referrals do not occur without the express consent of the user.”
The ABC reported that end user consent is via agreement with a ‘collection statement’ — which it said is necessary to confirm a booking.
HealthEngine said: “Contrary to the ABC report’s suggestion, consent to these referrals is not hidden in our policies but obtained through a simple pop-up form as part of the booking process … or provided verbally to a HealthEngine consultant. Consent to these referrals is entirely voluntary and opt-in, and we do not provide any personal information for the purposes of a referral without this consent.”
“Users are able to continue to use our booking services even if they do not provide their express consent to being contacted by a referral partner through the pop-up form,” the statement said.
“If this ethically dubious behaviour is technically legal, then Australia’s privacy legislation must be changed,” EFA board member Justin Warren said in a statement.
“People have made it clear time and time again that information about their health is extremely personal and private and they expect it to be kept secure, not shared with all and sundry,” he added. “I cannot understand how any doctor would allow their patients’ trust to be abused in this way.”
The statement from the three privacy rights groups said that the law “must be changed to provide robust privacy protections for all Australians, such as by finally giving us the right to sue for breach of privacy, requiring explicit consent for each disclosure of medical or health data to a third party, and proper auditing of record-access that is visible to the patient.”
“The current system is too easy to bypass for unscrupulous operators looking to make a fast buck,” the statement said.