Key points:
HealthEngine has boasted to advertisers it can tailor advertising to patients' symptoms
The Australian startup says it only shares information with users' consent
But if a patient wants to use the app, there is no opportunity to opt-out of the fine print about giving information to third parties
Health Minister Greg Hunt has ordered an "urgent review" of Australia's biggest online doctor appointment booking service, HealthEngine.
The ABC earlier reported that the HealthEngine app has funnelled hundreds of users' private medical information to law firms seeking clients for personal injury claims.
A spokesperson for Mr Hunt said the Government had instructed the information commissioner and Australian Digital Health Agency to investigate the issue.
The Perth-based startup, which is part-owned by Telstra and SevenWest Media and boasts 1.5 million monthly and 15 million annual users, has also been touting access to patients' medical conditions and symptoms for targeted advertising campaigns.
The ABC has obtained secret documents from plaintiff law giant Slater and Gordon that reveal HealthEngine was passing on a daily list of prospective clients to the firm, based on their personal medical information, as part of a "referral partnership pilot" last year.
HealthEngine asks users to include details of their symptoms and medical conditions, including whether they have suffered a workplace injury or been in a traffic accident, as part of the process of booking appointments with GPs, dentists, physiotherapists, optometrists and other medical practitioners.
The documents reveal HealthEngine passed on details of an average of 200 clients a month to Slater and Gordon between March and August last year.
A total of 40 became Slater and Gordon clients, yielding a projected $500,000 worth of legal fees.
HealthEngine and Slater and Gordon both declined interview requests and did not respond directly to questions.
HealthEngine said in a statement the company used advertising to "deliver relevant and timely information from our many different advertising partners to our users."
The startup said it did share personal information of users with third parties if they consented.
"HealthEngine does not provide any personal information to third parties without the express consent of the affected user or in those circumstances described in our privacy policy," the statement said.
The company insisted the policy is clearly evident for users via a simple pop-up form in the app.
HeathEngine also has a data-sharing arrangement with the Federal Government's My Health Record digital medical record system.
However, the company said it was unable to directly access patient data held by My Health Record or the Australian Digital Health Agency.
How does HealthEngine get consent from users?
Users of the app are prompted to specify the type of appointment, where they have the option to select whether they have been in a car accident, or had a workplace or non-workplace injury.
The company's privacy policy makes no mention of sharing the information with third parties for marketing purposes.
However, a separate "collection statement," which users must accept to use the service and confirm their booking, says HealthEngine shares personal information with a range of third parties.
"If you consent, we may also provide your personal information to providers of other products and services which may be of interest to you, such as private health insurance comparison services, providers of finance credit for cosmetic and dental procedures, and providers of legal services," the collection statement says.
In an updated statement from HealthEngine after publication of this article, the company's CEO Dr Marcus Tan said "HealthEngine has no referral arrangements in place with marketing agencies or law firms".
However, Dr Tan conceded the company had provided information to lawyers, but declined to specify when they ceased that arrangement.
"Under previous arrangements, HealthEngine provided referrals to law firms but only with the express consent of the user," he said.
HealthEngine boasts it can tailor advertising to patients' symptoms
The ABC has also obtained a HealthEngine marketing presentation which promises to let advertisers target users for products based on their "age, appointment type ... postcode, symptom and booking type."
"Advertisers have the ability to leverage and skew communication towards patients' [symptom]-related issues or deliver brand message prior to seeing the GP," the presentation says.
It is not the first time HealthEngine's practices have come into question.
Earlier this month, Fairfax revealed the company was tampering with negative patient reviews of doctors to make them appear positive.
The company has since apologised and removed the reviews from its service.
'Intrusive' and 'persistent'
One HealthEngine app user, Sharon*, was called by a call centre shortly after booking a GP appointment through the app.
She had used the app for years, but this was the first time she had selected the "workplace injury" option as the reason for her appointment.
The person on the phone indicated they were from a law firm and wanted to know if she would consider pursuing a legal claim for her injuries, which were sustained during an offsite work trip.
"They wanted to ascertain whether I had sought advice from a personal injury lawyer — and I said no," Sharon said.
"They wanted to know why, and started to talk about ball park figures that I might be entitled to.
"It was quite intrusive — but they were very persistent."
Sharon, who is on a do-not-call register, said she saw no indication during her use of the app that her details might be provided to a third-party law firm.
"I had no idea that by putting anything in HealthEngine it would go any further than the medical professional I was making the appointment with."
Sharon ultimately cut the call short, but said others could easily be coerced into pursing a legal claim through that system.
"You are picking people at a vulnerable time," she said.
"When you say to somebody, 'do you understand how much money you could be making in this?' a lot of people would start to consider that."
Slater and Gordon used HealthEngine referrals via third party
HealthEngine was among several companies to have referred customers to Slater and Gordon as part of a pilot project last year.
On Sunday, the ABC revealed Slater and Gordon was using an external direct marketing business to find new clients, despite the firm's own top lawyers warning the practice was unethical and possibly illegal.
The secret documents say the firm sourced the HeathEngine referrals via Sydney-based law firm Bannister Law, which held a contract for referrals with HealthEngine.
The documents say Slater and Gordon was not paying a fee for the referrals during the pilot stage, however, it expected Bannister Law to charge for the referrals in the future.
Bannister Law declined to comment.
This article was published and provided by the Australian Broadcasting Corporation.