Firm admits employee action resulted in breach of customer data including names and date of births
Personal information has been compromised after private health insurance firm Bupa Global admitted a data breach.
The leaked information does not apparently include any medical or financial information, but it does include names, date of birth, nationality, as well as certain contact and administrative information.
Bupa Global (formerly Bupa International) said in a customer update that the data breach that it does not affect Bupa customers with local (or domestic) health insurance policies.
Rather the breach affected those Bupa customers who have international private health insurance policies. These global policies are taken out by people who frequently travel or who work overseas.
It is thought that around 108,000 international health insurance policies are affected, and concerns users with policy numbers beginning with ‘BI’.
It seems that the firm had discovered the breach after an employee had ‘taken’ the information from some of its systems.
The staff member in question has been fired and Bupa Global is taking legal action against them.
We recently discovered an employee of our international health insurance division (which is called ‘Bupa Global’), had inappropriately copied and removed some customer information from the company,” explained Sheldon Kenton, MD of Bupa Global.
“Customers of Bupa’s local (domestic) health insurance businesses are not affected, and not all of the Bupa Global division’s 1.4 million international health insurance customers are affected,” he added.
He explained that the firm is contacting those customers affected to apologise and advise them as they believe the information has been made available to other parties.
“Protecting the information we hold about our customers is an absolute priority and I would like to assure customers that we are treating this seriously and taking steps to address the situation,” he added.
“This was not a cyber attack or external data breach, but a deliberate act by an employee,” he said. “We have introduced additional security measures and increased our customer identity checks. A thorough investigation is underway and we have informed the FCA and Bupa’s other UK regulators.”
Last month the Information Commissioner’s Office (ICO) fined Basildon Council £150,000 for publishing the personal information of a family online, which included information about their mental health and disabilities.
And earlier this year the regulator also handed out a £150,000 fine to Royal & Sun Alliance Insurance (RSA) after it lost a hard drive containing the personal information of nearly 60,000 customers.
Quiz: Are you a privacy expert?