Former users of Bupa’s international travel insurance plan may be affected by the firm’s data breach, New Statesman Tech can disclose.
The healthcare provider revealed on Wednesday that a rogue employee had copied and deleted data relating to 547,000 customers of the plan.
Now, a spokesperson has confirmed that the leak includes information relating to “some” past customers who have dropped the service.
The breached data features names, dates of birth and nationalities, as well as some contact and admin information, but nothing financial or medical.
It’s feared that affected customers could become the targets of phishing attacks if the data falls into the wrong hands.
The spokesperson said the firm would contact everyone affected, including former customers.
The Data Protection Act does not set out any specific minimum or maximum periods for retaining personal data – but according to the Information Commissioner’s Office (ICO), personal data “processed for any purpose or purposes should not be kept for longer than is necessary for that purpose or those purposes”.
When Bupa first announced the breach, an ICO spokesperson said: “Organisations have a duty to protect people’s privacy and personal data. We have been made aware of an issue involving Bupa Global and are making enquiries.”
Bupa Global’s managing director, Sheldon Kenton, said the employee responsible has been dismissed and the firm is taking legal action.
“A thorough investigation is under way and we have informed the FCA [Financial Conduct Authority] and Bupa’s other UK regulators,” he added.