In recent days, news from North Rhine-Westphalia has caused a stir: Several insurance companies are said to have illegally exchanged their customers' health data by email in order to uncover fraud. But what exactly happened and what does this mean for us as consumers? We explain what we know about the incident and what you should think about it.
What exactly is it about?
The State Data Protection Commissioner of North Rhine-Westphalia has officially launched an investigation after it emerged that around ten insurance companies had shared customer data, including sensitive health data, with each other by email. And not in a secure and legally protected manner, but via a so-called "e-mail distribution list", to which several employees of the companies involved had access.
The information shared included medical diagnoses and also data on underage policyholders. An additional shock: not only companies from North Rhine-Westphalia are said to be affected, but also insurers from other federal states and abroad, which necessitated a large-scale investigation by the authorities.
Why is this a problem?
The insurers' intention was clear: they wanted to uncover cases of fraud and prevent criminal activities within the insurance system from going undetected. But here's the catch: the path the companies have chosen is anything but data protection compliant. There are already long-established procedures in which insurance companies can exchange information about suspected fraudsters securely and legally. So why take this risky step?
According to Bettina Gayk, the data protection officer, it is particularly astonishing that this data exchange took place via email, although other solutions have long been available to share such information in compliance with data protection regulations. The accusation is serious: despite the legitimate intention of preventing fraud, the privacy of innocent policyholders was disregarded here. After all, even if insurance fraud is uncovered, the rights and protection of the people concerned must not be carelessly disregarded.
What happens now?
The scandal has already had consequences. The relevant data protection authorities have contacted the companies concerned and stopped the illegal exchange of data. However, the proceedings have not yet been concluded. It remains to be seen whether and to what extent fines will be imposed on the insurers. After all, sharing such sensitive data without a legal basis is not only a breach of data protection, but can also massively damage policyholders' trust in the industry.
The boundary between fraud prevention and data breach
It is good that the authorities are stepping in, but this case sheds further light on the shortcomings that still exist in many areas of data protection. We are dealing with a "non-error" here - it was not simply ignorance, but a conscious decision to take a risky route to achieve a goal. Of course, the desire to combat fraud is understandable, but the way this was done is simply negligent. We must not forget that it is not just about numbers on a piece of paper, but about the trust of the people who entrust their insurance companies with their most intimate data. This kind of behavior by large companies is a transgression of boundaries that should not remain without consequences.
