HealthEngine has been slugged with a $2.9 million fine for removing and editing reviews on its platform and sharing personal details of patients with private health insurers.

The Australian Competition and Consumer Commission (ACCC) began investigating the Western Australian startup – which describes itself as Australia’s largest online health marketplace – in July 2018 and launched legal proceedings last year.

The Federal Court found that HealthEngine engaged in misleading conduct in relation to the sharing of personal patient data with insurance brokers and the publishing of misleading patient reviews and ratings, resulting in the almost $3m fine.

Between 30 April 2014 and 30 June 2018, the startup gave non-clinical user information, including their names, dates of birth, phone numbers and emails, of over 135,000 patients to third-party private health insurance brokers without properly disclosing this to the users.

The Court heard that HealthEngine made more than $1.8 million from the arrangement with the insurance companies during this period.

The company has also been ordered to contact all the impacted users and provide information on how they can regain control of their personal data.

“These penalties and other orders should serve as an important reminder to all businesses that if they are not upfront with how they will use consumers’ data, they risk breaching the Australian Consumer Law,” ACCC chair Rod Sims said.

“The ACCC is very concerned about the potential for consumer harm from the use or misuse of consumer data.”

The Federal Court also ruled that HealthEngine had engaged in misleading conduct by not publishing about 17,000 reviews and editing around 3,000 others to remove negative aspects or embellish other parts.

“The ACCC was particularly concerned about HealthEngine’s misleading conduct in connection with reviews it published, because patients may have visited medical practices based on manipulated reviews that did not accurately reflect other patients’ experiences,” Sims said.

HealthEngine has admitted it made mistakes with the two services, which have both been discontinued, and made a joint submission to the court with the competition watchdog.

In a statement, HealthEngine co-founder and CEO Marcus Tan said the company welcomed the conclusion of court proceedings, and acknowledged mistakes were made.

“When the ACCC commenced proceedings against HealthEngine nearly a year ago, we acknowledged that our rapid early growth had sometimes outpaced our systems and processes and we sincerely apologised that we had not always met the high expectations of the community and our customers. That apology still stands,” Mr Tan said.

“Good intentions do not excuse poor execution and this process has given us a greater understanding of our operational shortcomings, which we’ve addressed. Our mission to enable better healthcare experiences and outcomes remains at the heart of everything we do.”

HealthEngine said that the reviews system and the practice of sending personal user information to insurance brokers had been discontinued or “significantly overhauled” before it was formally notified of the ACCC’s investigation, and that no clinical data was provided to the private health insurers.

The company did admit that it did not properly inform its users about this practice though, and as part of the court order will be commissioning an annual independent review of its compliance with Australian Consumer Law for the next three years.

“We did not make it sufficiently clear on the booking form that a third party, not HealthEngine, would be contacting them regarding the comparison and that we would be passing on consumer details for that to occur,” the company statement said. “This was an error and HealthEngine apologises for it.

“HealthEngine is confident that no adverse health outcomes were created by these issues and no clinical data was shared with any private health insurance comparison service.”