A rogue Bupa employee has copied and removed the details of 547,000 customers signed up to the company’s international health insurance plan.
The data doesn’t include health or financial data, but does feature names, dates of birth and nationalities, as well as some contact and administrative information.
The incident has prompted fears that affected customers could now become targets for phishing attacks. Bupa said it would contact those whose data had been lost.
David Kennerley, director of threat research at security firm Webroot, said the breach was a classic example of the insider threat: “[It] really highlights the fact that employees can still be an organisation’s weakest link.”
Bupa Global’s managing director, Sheldon Kenton, said the employee responsible has been dismissed and the firm is taking legal action.
“A thorough investigation is under way and we have informed the FCA [Financial Conduct Authority] and Bupa’s other UK regulators,” he added.
Bupa said in a statement online that customers with domestic health insurance were not affected.
In total, data linked to 108,000 international insurance plans was taken. A Bupa spokesperson said that 43,000 of the affected customers had a correspondence address in the UK.
A spokesperson for the Information Commissioner’s Office said: “Organisations have a duty to protect people’s privacy and personal data. We have been made aware of an issue involving Bupa Global and are making enquiries.”