I am not sure if this is the case in all European countries, but in my domicile a non-MD has no right of access to any medical data. The insurance company has physicians working for them who can review medical data; after their review (and if needed, after seeing the patient) all they are allowed to tell the insurance company is "fit" or "not fit" (in this case, to travel). As the insurance company MD is bound by medical secrecy, this gives the customer/patient the certainty that medical data remains secret (as it should).
Ofcourse unscrupulous insurance company workers may try to ask for medical data; but they are not supposed to do so.