North Rhine-Westphalia’s chief data protection officer is investigating the illegal exchange of health data between insurance companies. She has launched investigations against ten providers.
They are said to have exchanged their customers’ health data via a shared email distribution list: North Rhine-Westphalia’s state data protection officer has initiated investigations against ten insurance companies for an illegal exchange of personal data.
According to a statement from NRW data protection officer Bettina Gayk in Düsseldorf , customer data from foreign travel health insurance companies was affected . The insurers are said to have illegally shared the information with each other – along with other companies – in order to uncover cases of fraud.
Medical diagnoses exchanged
To exchange data, the insurers are said to have used a closed distribution list, for which several employees of the companies involved were registered. This was used to exchange health data such as medical diagnoses and data on minors.
Almost 30 other insurers from other federal states and abroad are said to have been involved in the illegal exchange. The responsible authorities have therefore launched a jointly coordinated investigation.
More on the topic
- Report of the Arbitration Board: Consumers complain more often about insurance
- Money in the partnership: Three main accounts and 300 euros pocket money for each: This is how Anna and Tom manage their finances
- Technical glitch in Baden-Württemberg: Data of landowners were openly available on the Internet
“The use of the email distribution list is all the more surprising as there is a way, agreed with the data protection supervisory authorities and established for years in the insurance sector, to exchange information about potential cases of fraud in compliance with data protection regulations,” criticized Gayk. She refers to the so-called HIS system, which provides clearly regulated criteria for queries and registrations and deregistrations. The rights of those affected are protected and deletion periods are also provided. However, highly sensitive health data may not be processed in this system either.
The aim of uncovering insurance fraud is legitimate. However, the privacy of innocent policyholders must not be “seriously violated” to achieve this, warned Gayk. The state commissioner says she has contacted the companies involved and stopped the illegal data exchange. The investigation is not yet complete. Fines can be imposed for data protection violations.
Overall, people in Germany have recently been significantly more dissatisfied with their insurance. According to the Insurance Arbitration Board, the number of complaints rose to more than 21,500 last year . In 2023, there were only around 18,000 cases.