Commonwealth Bank confirmed it is undertaking an investigation into a potential privacy breach that may have seen sensitive medical information of CommInsure claimants accessed by employees in other departments of the bank.
As reported by the ABC earlier today, CBA is investigating whether a breach may have occurred internally when medical information provided by customers to CommInsure was passed through and/or on to other arms of the group.
"We have identified that some internal group-wide systems also have access to CommInsure linked systems and data. This access allowed, for example, branch staff to upload completed CommInsure forms, provided by a customer in branch, or our group customer relations team to manage complaints, including claim disputes, across the group," a CBA spokesperson said.
According to the ABC, the data may have been used to determine whether loan applications were approved or denied. CBA denied this, saying CommInsure information does not inform lending decisions, either automated or manual.
The potential breach was identified as part of data segregation work undertaken by the bank in preparation for the sale of its life insurance business to AIA. As such, a review was commenced in August 2018.
CBA said a review of files to ensure no unauthorised access of data has not identified any inappropriate conduct so far. McGrathNicol Advisory is providing independent oversight of the investigation.
The bank said it is making changes to its systems to permanently restrict access to sensitive CommInsure information to a need to know basis.
The spokesperson said regulators have been informed of the potential breach and an open dialogue is ongoing.
"We take our regulatory obligations seriously and should any instance of unauthorised access be identified, regulators and customers affected will be informed," CBA said.