Medical appointment giant HealthEngine has been fined $2.9 million for inadequately telling 135,000 patients their personal information was being sold to insurance brokers and misleading consumers with censored reviews.
The conduit for seven million patients and more than 70,000 health practices and practitioners across Australia will also have to contact patients whose information was sold and submit to an annual compliance review by an independent person, Federal Court Justice David Yates ordered.
After the orders were handed down, HealthEngine co-founder and chief executive Marcus Tan again apologised for not meeting the high expectations of the community during a period of "rapid early growth" between 2014 and 2018.
"Good intentions do not excuse poor execution and this process has given us a greater understanding of our operational shortcomings, which we've addressed," he said in a statement.
"HealthEngine never has - and never will - sell user databases to third parties."
More than half of the $2.9 million fine related to edited reviews and misleading rating information on the site.
In the three years to March 2018, HealthEngine edited comments not only to correct typos and de-identify patients, the judge said.
"(It edited comments) to make alterations that removed negative comments and to change the meaning of other comments, including in a way that made them appear more positive than they really were," he said.
Some 3250 reviews were made more positive while more than 17,000 never made to the site.
Besides sending most reviewers a copy of what was published and later also stating it "may" have modified the review, HealthEngine made limited disclosure about what it was doing, Justice Yates said.
It also lied about patients' ratings of health practices.
If fewer than four in every five patients confirmed they would recommend a particular practice to others, HealthEngine told site visitors there was "insufficient data" to calculate a patient satisfaction level and posted no rating online.
"HealthEngine accepts that, by engaging in the review conduct and ratings conduct, it engaged in conduct that was likely to create a more positive or favourable impression in the minds of consumers who used the platforms to find a suitable health practice," Justice Yates said.
Between April 2014 and June 2018, the provider asked patients if they'd like to be called by "our private health insurance experts" about comparison services or to assess the patient's private health insurance needs.
But it was not clear that by clicking "yes", 135,000 patients' non-clinical information was being sent to one of nine private health insurance brokers.
The insurers paid about $1.8 million for the information, but HealthEngine estimated its costs amounted to $1.3 million.
After considering health operator's prior good behaviour, financial position and its admissions, Justice Yates ordered fines of $1.4 million for the referral conduct, $1.2 million for the reviews and $300,000 for the ratings.
It will be paid in four six-monthly instalments.