A massive data breach has exposed the sensitive medical details of countless bank insurance customers.
CommBank has admitted that medical data held by its insurance arm, CommInsure, was accessible to staff members, such as those making decisions on loan applications, with potential for the data to be misused.
CommBank is investigating the potential breach but has not yet found any evidence of data being “accessed inappropriately” by employees or of information being accessed outside of its insurance arm.
The breach was discovered in late July 2018 when the bank was preparing for the $3.8 billion sale of CommInsure to the Hong Kong-listed AIA life insurance group.
The bank said it felt compelled to inform the Office of the Australian Information Commissioner, the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA) of the breach.
The bank was obliged to inform customers if “there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds”, and that “this is likely to result in serious harm to one or more individuals”. Although CommBank told its customers it did not believe a privacy breach had occurred, it would not clarify how many people might be affected.
“We understand that some customers will be concerned about this shared internal access and we are taking steps to ensure access to all sensitive information associated with CommInsure is provided on a need to know basis,” said a CommBank spokesperson.
Regardless of the bank’s opinion of the extent of the breach, one privacy expert said the onus was on the bank to inform all of its customers of the potential for their information to be abused.
“It’s arguable that making health information accessible to unauthorised recipients is a notifiable breach and that, if it isn’t, I don’t think that’s consistent with community expectations,” said University of New South Wales data privacy expert Katharine Kemp.
“Whether or not CBA can rely on its interpretation as a matter of law, the community has a reasonable expectation that it would be notified of such a failure in CBA’s governance controls, especially given the sensitive nature of health information.
“Consent is very important here because it goes to the customer’s reasonable expectation about what is going to happen with their information,” said Dr Kemp.
CommBank’s culture had been called into question in the banking royal commission, after a number of scandals within the organisation were exposed, including questionable financial advice, rate manipulation and accusations of money laundering by organised crime groups.
It seems we may potentially be able to add questionable use of customer data to the list.
Speaking to the Leigh Sales on 7.30 Report, former CommBank employee turned whistleblower Jeff Morris said the bank’s culture of pressuring staff to meet targets sometimes involved accessing customer information to identify potentially vulnerable people who may have been more susceptible to certain sales approaches.
“This is just a symptom of the greed, and the focus on profits, and the bonuses and everything that’s come out in the royal commission,” said Mr Morris.
“This sort of breach of people’s privacy is exactly what you would expect.”
Although Mr Morris said the potential disclosure of private medical information might not be unlawful.
“Whether or not it’s a breach of the Privacy Act, it’s certainly an ethical breach, and that sort of thing was just an everyday event at CBA,” said Mr Morris.
However, he still says customers have the right to be concerned about the potential misuse of their medical information.
“It may have been used to identify someone for a certain sort of product, but at this stage we don’t know,” said Mr Morris.
“We may never know.”
Read more at www.abc.net.au
Are you a CommBank customer? Are you surprised by this latest example of potentially unethical behaviour?
Related articles:
Who can you trust with your money?
Is this why we needed a bank probe?
Where will the $700m CBA fine end up?