Insurance firm settles over privacy breach

An insurance company has been forced to reach a settlement and change its policies after breaching a man's privacy by accessing his full medical history without permission.

The unidentified man brought a complaint to the Office of the Privacy Commissioner after the company he applied to for trauma insurance accessed his full medical records for the previous five years.

In a comment on the case published this week, the office found that the company had breached its obligations concerning private data.

As a result of a 2009 inquiry into the practice, Commissioner Marie Shroff had previously warned insurance companies and customers to be careful about what data they requested.

Insurers did not usually need to get complete medical histories from applicants, she said. "If you're applying for insurance and the insurer says it needs full notes, ask why."

In the recent case, the man applied for trauma insurance, gave the insurer "extensive medical details" and authorised it to get information about any previous insurance claims he had made.

The company then went to the man's doctor and asked for his medical history for the past five years. The doctor sent it to them.

The man complained that the company did not need full access to his records to assess him.

Insurance companies must abide by the Health Information Privacy Code. Rule one of the code says they must not collect health information unless it is necessary for a lawful purpose connected with their function.

The company told the commissioner it was following its internal policy. It had found three matters in the man's application about which it needed more information to assess him.

"It was the company's policy to request a medical report containing five years of medical notes in any case where more than two issues were identified," Shroff said.

However, the insurer "should only have requested information relating to the three issues it had identified".

The company and the complainant reached a private settlement, and the insurer had since changed its policies so that, in future, it would ask for data only on specific matters.

The Dominion Post