The Commonwealth Bank is urgently investigating a potential data breach that may have given its staff access to customers’ sensitive medical information.
The issue was discovered around late July as the bank made preparations for the $3.8 billion sale of its insurance arm, CommInsure, to the AIA group.
Medical information supplied by an unknown number of customers to CommInsure was made available to other arms of the bank, including to staff who decide whether to approve or decline loan applications.
The bank said since the discovery of the potential breach, it had been scouring records to ascertain whether the data was “accessed inappropriately” by employees.
While the bank said it had found no evidence of staff outside CommInsure accessing the personal data of CommInsure customers, it has informed the Office of the Australian Information Commissioner, the Australian Security and Investment Commission (ASIC) and the Australian Prudential Regulation Authority (APRA).
But it said it had not told its CommInsure customers, as it did not believe a privacy breach had occurred.
It also did not clarify to the ABC how many people may be affected.
Under the notifiable data breaches scheme, the bank would be obliged to inform customers if “there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds”, and that “this is likely to result in serious harm to one or more individuals”.
The bank has retained consultancy firm McGrathNicol to oversee the investigation into whether data breaches occurred.
“We understand that some customers will be concerned about this shared internal access and we are taking steps to ensure access to all sensitive information associated with CommInsure is provided on a need to know basis,” a spokeswoman for the bank said.
The statement said CommInsure information did not form part of the lending decision-making criteria, whether completed by automated or manual processes.
Commonwealth Bank declined repeated requests to provide a spokesperson for interview.
The office of the information commissioner confirmed the bank had told it of the possible breach, and said it had “been asking questions of the Commonwealth Bank of Australia about the incident”, but would not comment further on an ongoing inquiry.
‘Reasonable expectation’ to tell customers
University of New South Wales data privacy expert Katharine Kemp said, based on the facts that the Commonwealth Bank had so far revealed, it was not clear whether the incident constituted a breach under the scheme.
But she said customers should be informed if their information may have been exposed.
“It’s arguable that making health information accessible to unauthorised recipients is a notifiable breach and that, if it isn’t, I don’t think that’s consistent with community expectations,” Dr Kemp said.
“Whether or not CBA can rely on its interpretation as a matter of law, the community has a reasonable expectation that it would be notified of such a failure in CBA’s governance controls, especially given the sensitive nature of health information.”
She said if the data was accessed, it became a question of consent.
“Consent is very important here because it goes to the customer’s reasonable expectation about what is going to happen with their information,” Dr Kemp said.
Pressure to sell pervades culture at CBA
In September last year the CBA agreed to the multi-billion dollar sale of its insurance arm to the Hong Kong-listed AIA, but the sale has already been pushed back from this year to the first half of next year.
In 2016, the ABC’s Four Corners program revealed doctors in the bank were pressured to change their assessments of customers to avoid payouts; payouts to terminally ill customers were delayed; and claims by former staff who were medically retired were not honoured.
Last month, the royal commission into banking grilled the bank’s chief executive, Matt Comyn, and chairman, Catherine Livingstone, over the bank’s culture and a number of scandals – from financial advice rip-offs, to being used by organised crime to launder money – that have rocked it in recent years.
Both Mr Comyn and Ms Livingstone laid the blame at the feet of the bank’s previous leadership.
Jeff Morris, a former employee of the Commonwealth Bank turned whistleblower, said there was a culture at the bank of pressure to meet targets, which sometimes involved accessing customer information to identify people who may be susceptible to sales approaches.
“This is just a symptom of the greed, and the focus on profits, and the bonuses and everything that’s come out in the royal commission,” Mr Morris said.
“This sort of breach of people’s privacy is exactly what you would expect.”
Mr Morris said the potential disclosure of private medical information by CommInsure to other staff at the bank might not be unlawful.
“Whether or not it’s a breach of the Privacy Act, it’s certainly an ethical breach, and that sort of thing was just an everyday event at CBA,” Mr Morris said.
He believes, on the basis of past revelations about the bank, customers should be concerned their medical information was misused.
“It may have been used to identify someone for a certain sort of product, but at this stage we don’t know,” Mr Morris said.
“We may never know.”