Huge Bupa customer data breach blamed on rogue employee

Bupa has blamed ‘a deliberate act by an employee’ for a data breach which has affected 108,000 policies issued by its international health insurance division.

The health insurer has insisted that the data loss was not caused by a cyber attack and apologised to affected customers for the data loss.

It has also fired the employee involved and informed the FCA of the Bupa customer data breach.

Bupa said in a statement: “We recently discovered an employee of our international health insurance division (which is called ‘Bupa Global’) had inappropriately copied and removed some customer information from the company.

“We are contacting those customers who are affected to advise them to be vigilant.”

It added: “We would like to apologise and assure customers that we are treating this seriously.”

The company said names, dates of birth, nationality and some contact and administrative information, including membership numbers, were included in the information taken by the employee. But it added that financial details and medical information were not included.

The UK-based health insurer said that customers of its domestic health division were not affected, and not all of Bupa Global’s 1.4m customers were affected.

Bupa Global managing director Sheldon Kenton said: “Protecting the information we hold about our customers is an absolute priority and I would like to assure customers that we are treating this seriously and taking steps to address the situation.

“This was not a cyber attack or external data breach, but a deliberate act by an employee.

“We have introduced additional security measures and increased our customer identity checks.

“A thorough investigation is underway and we have informed the FCA and Bupa’s other UK regulators. The employee responsible has been dismissed and we are taking appropriate legal action.”