CBA reveals data flaw
The Commonwealth Bank has responded to a data breach that may have given staff access to customers' sensitive medical information.
The bank says the issue was discovered as the bank made preparations for the $3.8 billion sale of its insurance arm, CommInsure, earlier this year.
Medical information of CommInsure customers was made available to staff at the bank who decide whether to approve or decline loan applications.
The bank says it has been scouring records to work out whether the data was “accessed inappropriately”.
The bank informed the Office of the Australian Information Commissioner, the Australian Security and Investment Commission (ASIC) and the Australian Prudential Regulation Authority (APRA), but not its CommInsure customers.
The new notifiable data breaches scheme obliges the bank to inform customers of any “unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds” that is “likely to result in serious harm to one or more individuals”.
The incident could possibly constitute a breach under the scheme, according to University of New South Wales data privacy expert Katharine Kemp.
She said customers should be informed if their information may have been exposed.
“It's arguable that making health information accessible to unauthorised recipients is a notifiable breach and that, if it isn't, I don't think that's consistent with community expectations,” Dr Kemp told the ABC.
“Whether or not CBA can rely on its interpretation as a matter of law, the community has a reasonable expectation that it would be notified of such a failure in CBA's governance controls, especially given the sensitive nature of health information.”
Consultancy firm McGrathNicol has been brought in to oversee the investigation of possible data breaches.
“We understand that some customers will be concerned about this shared internal access and we are taking steps to ensure access to all sensitive information associated with CommInsure is provided on a need to know basis,” a spokesperson for the bank said.