CBA's CommInsure separation raises medical data access concerns

CBA’s work to ringfence its CommInsure business for divestment has uncovered potentially problematic data access controls and internal group functions with access to sensitive medical information.

ABC News reported that medical information from claims lodged by an unknown number of customers had been “made available” outside of CommInsure.

It is understood the data access arrangements and controls were uncovered as part of data segregation works as CBA prepares CommInsure for its $3.8 billion sale to AIA.

A Commonwealth Bank spokesperson confirmed to iTnews that the bank had been investigating the practices since uncovering them in August.

“We have identified that some internal group-wide systems also have access to CommInsure linked systems and data,” the spokesperson said.  

“This access allowed, for example, branch staff to upload completed CommInsure forms, provided by a customer in branch, or our group customer relations team to manage complaints, including claim disputes, across the group.”

The bank disputed an allegation in the ABC report that the information could have been accessed by its lending business.

“CommInsure information does not form part of lending decision making criteria whether it is completed by automated or manual processes,” the spokesperson said.

CBA said it had called in McGrathNicol Advisory “to provide independent oversight” of the CBA’s investigation of the data sharing arrangements.

The spokesperson said that a review “of CommInsure files [is underway] to ensure no data has been accessed inappropriately by employees”.

The bank is reviewing access logs to documents - such as those that would have been scanned locally in branches and then lodged electronically from there to a CommInsure claims officer - to work out whether that data was ever inappropriately accessed by anyone in the bank.

It said so far that it had not uncovered any instances where the CommInsure data had actually been accessed inappropriately.

As reported by the ABC, it is unclear whether the data sharing and internal security controls themselves would constitute a data breach under Australia’s mandatory notification scheme.  

CBA said it is keeping authorities informed about the progess of its investigation, including the Office of the Australian Information Commissioner (OAIC), as well as financial regulators the Australian Securities & Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA).

The bank’s spokesperson said more broadly that over the last year, CBA had ”commenced the development and implementation of an extended privacy program with the aim to uplift our privacy capability, controls and monitoring to provide assurance that Commonwealth Bank is effectively managing our privacy obligations.”