The Commonwealth Bank is urgently investigating a potential data breach that may have given its staff access to customers’ sensitive medical information. The issue was discovered around late July as the bank made preparations for the $3.8 billion sale of its insurance arm, CommInsure, to the AIA group.
Medical information supplied by an unknown number of customers to CommInsure was made available to other arms of the bank, including to staff who decide whether to approve or decline loan applications. The bank said since the discovery of the potential breach, it had been scouring records to ascertain whether the data was “accessed inappropriately” by employees.
While the bank said it had found no evidence of staff outside CommInsure accessing the personal data of CommInsure customers, it has informed the Office of the Australian Information Commissioner, the Australian Security and Investment Commission (ASIC) and the Australian Prudential Regulation Authority (APRA). But it said it had not told its CommInsure customers, as it did not believe a privacy breach had occurred.
It also did not clarify to the ABC how many people may be affected.