Life insurer sanctioned, but not named, for medical info breaches

Mike Taylor

Managing Editor/Publisher, Financial Newswire

4 March 2026

The Life Code Compliance Committee has sanctioned, but not named, a major insurer for collecting customers’ medical information without obtaining a valid medical authority.

The LCCC’s announcement of the sanction said the activity on the part of life insurance company had occurred between March 2020 and March 2024 and involved a total of 2,171 applications, impacting more than 2,000 customers. The LCCC conventionally does not name member companies against which it imposes sanctions.

The excuse provided by the unnamed insurer is that it temporarily reassigned staff from a business area where consent was automatically obtained as part of the application process to an area where consent was not automatically captured.

The LCCC noted that to obtain valid consent, a request must us the prescribed authority wording, as agreed by the Council of Australia Life Insurers and the Royal Australian College of General Practitioners.

“This requirement is a fundamental customer protection that ensures consent is informed, transparent and aligned with the Code’s principles,” the LCCC said.

It said the insurer identified the issue following a complaint from a customer in early 2024, which had gone undetected by the insurer’s quality assurance and monitoring processes. The insurer confirmed that more than 2,000 customers were affected across 2,171 applications.

LCCC chair, Jan McClelland issued a statement emphasising the seriousness of the breach.

“Collecting medical information without valid consent is a serious failure of a fundamental customer protection under the Code,” McClelland said.

“Customers must clearly understand what medical information is being requested, how it will be used, and how it will be protected. That transparency is central to informed consent.”

The LCCC noted that once the insurer identified the breach, it investigated the cause, duration and scope of the issue and apologised to affected customers before implementing a series of corrective actions including staff training and guidance, system fixes and stronger quality assurance.

Explaining its approach, the LCCC stated: “Collecting medical information without valid consent breached a fundamental commitment of the Code and a key safeguard that protects customer privacy through informed consent.

“We found the insurer had gaps in oversight, particularly where processes depend upon manual steps instead of automated controls. Having weighed the seriousness and scale of the breach against the remediation undertaken by the insurer, we determined that a formal warning was the appropriate and proportionate outcome.’