Bupa has been hit by a data breach after one of its employees released customer insurance information from the company.
Managing director for Bupa Global, Sheldon Kenton, detailed what the breach contained in an online video. He said around 108,000 health insurance policies have been affected and the data doesn’t include any financial or medical data.
Bupa state that the data released includes names, dates of birth, nationalities and other contact and administrative details, such as Bupa insurance membership numbers.
The company is contacting those who are affected to advise them of the situation.
About the situation, Kenton said: “We recently discovered an employee of our international health insurance division (which is called ‘Bupa Global’), had inappropriately copied and removed some customer information from the company. Around 108,000 international health insurance policies are affected.
The information does not include any financial or medical data, and relates to a portion of customers with international health insurance.
Customers of Bupa’s local (domestic) health insurance businesses are not affected, and not all of the Bupa Global division’s 1.4 million international health insurance customers are affected.
We are contacting those customers who are affected to apologise and advise them as we believe the information has been made available to other parties. The data taken includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers.
Protecting the information we hold about our customers is an absolute priority and I would like to assure customers that we are treating this seriously and taking steps to address the situation. This was not a cyber attack or external data breach, but a deliberate act by an employee. We have introduced additional security measures and increased our customer identity checks. A thorough investigation is underway and we have informed the FCA and Bupa’s other UK regulators. The employee responsible has been dismissed and we are taking appropriate legal action.”
Itsik Mantin, director of research at cyber security company Imperva spoke about the nature of the data breach, saying: “Although people tend to associate breaches with hackers, the truth is that many data breaches involve inside work, as was this breach which happened, according to Bupa, by an employee. This is not surprising given that Verizon DBIR 2017 report indicates that 1 out of 4 data breaches are attributed to insiders and, in the healthcare domain, the situation is even worse with 2 out of 3 breaches involving insiders and third-parties.”
As we’ve seen in past high-profile cases, data breaches caused by careless, malicious or compromised insiders are real and serious. Because the problem begins with users that have legitimate access to enterprise data, attacks from the inside can be present for long periods of time before finally being detected. What’s more, costs associated with loss of data can run in the millions and lead to customer loss, brand damage and stock price decline.
To mitigate the risk, organisations should ask themselves where their sensitive data lies and invest in protecting it. Businesses can employ solutions, especially those based on machine learning technology that can process and analyse vast amounts of data, to help them pinpoint critical anomalies that indicate misuse of enterprise data and that also help them to quickly quarantine risky users to prevent and contain data breaches proactively.”