Last week, the company was reported by the Australian Broadcasting Corporation to have sent the private medical information of hundreds of users to lawyers who are on the hint for people who would want to file personal injury claims.
Health Minister Greg Hunt had ordered a review of the company's operations, the ABC said.
He claimed that only 75 of these entries contained identifying information.
Tan said all published patient feedback had been removed from the site while a review was undertaken.
"We take data security very seriously and acted swiftly and decisively when we became aware of the breach, to identify the error and shut down the published patient feedback function of the Patient Recognition System on website," he said.
"The published patient feedback function will not be reinstated until we are confident the error has been corrected."
Tan said the breach had been reported to the Office of the Australian Information Commissioner as is required under the mandatory breach notification law that took effect in February. The OAIC has not said anything about the incident; its last media release was on 19 February.
HealthEngine appears to run its website on Amazon Web Services.