While preparing for the divestment of CommInsure for $3.8 billon to AIA, Commbank has uncovered an issue that allowed sensitive medical information about clients to be accessed by unauthorised staff.
The bank discovered that an internal group-wide system also has access to CommInsure linked systems and data.
The Bank is reviewing access logs to find out whether data was inappropriately viewed by unauthorised employees. CBA has also called in McGrathNicol Advisory to provide independent oversight of the CBA’s investigation of the data sharing arrangements.
Discovered around late July, the Bank has not yet informed customers, choosing to wait for the results of the review to find out whether there has been any inappropriate access.
As reported by the ABC, it is unclear whether the data sharing and internal security controls themselves would constitute a data breach under Australia’s mandatory notification scheme.