Bupa has been hit by a major data breach after an employee deliberately stole 108,000 customers’ private information, the company said.
The data, which included names, dates of birth, nationalities and some contact details, was “inappropriately copied from a database and shared with third parties”.
Sheldon Kenton, Managing Director of Bupa Global (formerly Bupa International) said, "We recently discovered an employee of our international health insurance division (which is called ‘Bupa Global’), had inappropriately copied and removed some customer information from the company. Around 108,000 international health insurance policies are affected.
The information does not include any financial or medical data, and relates to a portion of customers with international health insurance.
Customers of Bupa’s local (domestic) health insurance businesses are not affected, and not all of the Bupa Global division’s 1.4 million international health insurance customers are affected.
We are contacting those policy holders who are affected to apologise and advise them as we believe the information has been made available to other parties. The data includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers. The information was not deleted from our system.
Protecting the information we hold about our customers is an absolute priority and I would like to assure customers that we are treating this seriously and taking steps to address the situation. This was not a cyber attack or external data breach, but a deliberate act by an employee. We have introduced additional security measures and increased our customer identity checks. A thorough investigation is underway and we have informed the FCA and Bupa’s other UK regulators. The employee responsible has been dismissed and we are taking appropriate legal action."
Answers to general questions about the incident
1) What has happened? An employee of the Bupa Global international health insurance division (formerly Bupa International) has been found to have inappropriately copied and removed some customer information from the company. The employee has been dismissed.
2) What information has been taken? The information does not include financial or medical data. The data taken includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers.
3) How many records have been compromised? Globally this affects around 108,000 insurance policy holders covering 547,000 people. Bupa Global has 1.4m international health insurance customers.
4) How many insurance customers does Bupa have? Bupa has 16.5 million health insurance customers, with 1.4m of them being international health insurance customers.
5) Does this affect former customers? Yes this affects some current and former international health insurance customers, who have policy numbers that begin ‘BI’.
6) I have heard rumours of up to 1m records being compromised? Is this true? No. All of the information and statements we have made public this week, remain valid. We are aware of a report that suggested that on 23rd June 2017 a former employee claimed to have 500,000 to one million records for sale. Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed.
Latest from Cyber Policy Magazine
- Aon and Guidewire Launch Cyber Scenario for a U.S. Dam Attack
- Generali Launches Its Fully-Dedicated Cyber Insurance Function And The CyberSecurTech Start-Up
- Silent Cyber Added To Willis Re’s Cyber Portfolio Management Tool PRISM-ReTM
- Companies Will Make Major Enterprise Wide Changes To Address Cyber Risk In 2018
- DAS Spain Launches DAS Cyberbullying Insurance