Medical information supplied by an unknown number of customers to the bank's arm, Comminsure, was made available to other arms of the bank.
The bank said since the discovery of the potential breach, it had been scouring records to ascertain whether the data was "accessed inappropriately" by employees. While the bank said it had found no evidence of staff outside Comminsure accessing the personal data of Comminsure customers, it has informed the authorities.
