LEONARD AND WELCHLAW & Orderly blog.

BlogConsumer ProtectionFinancial AwarenessIncome ProtectionInsurance DisputesInsurance LawLegal InsightsTotal & Permanent Disability

When An Insurer Breaches Your Privacy

17 March 2026by leonardandwelch

Life insurers love to talk about trust, fairness and doing the right thing by customers. Then, every so often, a case comes along that shows what really happens when the wheels come off, as in a recent privacy breach.

A recent sanction by the Life Insurance Code Compliance Committee is one such case in which an insurer breached the privacy of more than 2,000 customers.

An insurer received a formal warning after it collected customers’ medical information during underwriting without first obtaining valid consent in the prescribed medical authority wording. The conduct ran from March 2020 to March 2024 and affected 2,171 applications involving more than 2,000 customers. The issue only came to light after a customer complaint, not because the insurer’s own systems detected it.

That is not a technical slip-up. That is an insurer handling deeply personal medical information without first getting the authority process right.

This is not red tape. It is basic consent.

Medical authorities matter because they tell customers what information will be collected, how it will be used, how it may be shared, and what privacy protections apply. That is the point of informed consent. The prescribed medical authority exists to make sure customers clearly understand what medical information will be collected, how it will be used and shared, and what privacy safeguards apply. That should be the bare minimum.

If an insurer wants access to your medical history, it should have to do the paperwork properly before it starts asking doctors for records. Consumers should not have to hope the insurer’s back office has remembered which workflow applies this week.

How did the insurer breach their customer’s privacy?

The explanation given is telling. Staff were temporarily moved from a part of the business where consent was captured automatically to another area where that safeguard was missing. As a result, they requested medical information without realising that valid consent had not yet been obtained. The Committee also found the problem went undetected by the insurer’s own quality assurance and monitoring processes.

Put plainly, the insurer changed its internal process, removed the safeguards, and failed to notice that it was trampling customers’ rights in the meantime.

That is exactly the sort of thing consumer lawyers see all the time. Insurers often describe these events as process issues, systems issues, training issues or unfortunate oversights. But from the customer’s side, it looks simpler than that. The insurer collected your private information without proper authority because it did not have its house in order.

Why this matters for ordinary people

Some people will read this and think, “Well, if the insurer was going to get the records anyway, what is the big deal?”  The big deal is consent.

Medical records are among the most sensitive documents a person has. They can include mental health history, medication history, family issues, past diagnoses, irrelevant background material, and details that may have nothing to do with the policy being applied for. The Code requirement exists so the customer knows what they are signing up to before the insurer starts gathering that information. The Committee expressly said this was a fundamental customer protection. It also said the affected customers faced a real risk that their information could be used in ways they might not have agreed to had they been properly informed. That is why this matters. Once the information is collected, the bell cannot really be unrung.

The really worrying part

For me, the most troubling part is not just that the insurer breached privacy. The problem is that it continued for about four years and only came to light after a customer complained. The insurer’s own monitoring did not catch it. That raises an uncomfortable question: how many other “manual process” failures sit unnoticed until a policyholder happens to kick up a fuss?

Insurers are very quick to demand perfect compliance from claimants and applicants. Miss a deadline, forget a form, fail to answer a question exactly as asked, and the insurer may try to rely on that against you. Yet when the insurer itself fails to follow a core privacy and consent safeguard affecting more than 2,000 customers, the language suddenly becomes softer: process gap, oversight issue, remediation program. Consumers expect better.

Was a formal warning enough?

The Committee imposed a formal warning after weighing the seriousness and duration of the breach, the number of affected customers, the fact that the issue was found through a complaint rather than internal systems, and the insurer’s remediation steps. Those steps included staff training, system fixes to automate valid consent procedures, and stronger quality assurance and monitoring. That is better than nothing. But it also shows the limits of industry self-regulation. When a breach involves medical privacy, lasts for years, and affects thousands of people, many consumers would fairly ask whether a formal warning really packs enough of a punch.

A warning may promote “industry learning”. It may also leave consumers wondering whether insurers face meaningful consequences for mishandling sensitive information.

What consumers should take from this

First, never assume that because an insurer puts a form in front of you, the insurer has done everything properly behind the scenes. Second, if an insurer seeks access to your medical information, read the authority carefully. Check what information the authority seeks, who can use it, and how broadly it is drafted. Third, if something feels off, complain. In this case, the issue came to light because a customer spoke up. Fourth, keep records. Keep the forms you signed, the dates you signed them, and the correspondence that followed. If a later dispute arises about what authority was or was not given, that paper trail will matter.

The broader lesson for insurers

This case is a reminder that “operational changes” are not an excuse. If an insurer introduces manual steps, it must also implement appropriate controls. The Committee put it plainly: operational changes must not weaken core compliance safeguards, and strong oversight must stay in place, especially where manual steps are introduced. That should not be controversial. If an insurer wants the benefit of collecting and assessing sensitive health information, it also has to bear the burden of obtaining consent correctly every single time. Not most of the time. Not when the automated workflow is active. Every time.

Final word

From a consumer lawyer’s point of view, this is a useful reminder that insurers do sometimes get naughty, not always in dramatic ways, but in quiet administrative ways that still matter enormously. A missed consent step in a back-office process may sound dry. It is not dry when your medical privacy is on the line. The lesson is a simple one: Insurers should not be trusted to mark their own homework, and consumers should never have to carry the risk of an insurer’s sloppy systems.

There is, of course, more to know than can be covered here. As the usual legal disclaimer goes, this information is general in nature because legal advice always depends on your circumstances.

Contact

You can call us at (03) 9969 7077 or via email at info@leonardwelch.au.

Leonard & Welch – the original (and the best) super lawyers!

📞 Call (03) 9969 7077

💼 No Win No Fee

 

by leonardandwelch

previous
Replace your Indemnity Policy because it won't replace new for old
next
Can you make a TPD claim if you have a mental health condition?
Leonard And Welch

62 High Street, Glen Iris VIC 3146
PO Box 1357, Darling VIC 3145
(03) 9969 7077

ACN: 672 156 580
Liability limited by a scheme approved under Professional Standards Legislation.

Copyright Leonard And Welch. Site by Boutique Online Marketing.