Around 108,000 international health policies were breached when a BUPA Global employee copied and removed data from the company without authorization.
According to BUPA, no financial or medical data is affected but details of names, date of birth, nationality and “some contact and administrative information” have been breached. Only customers with international private health insurance – policy numbers beginning with the letters ‘BI’ – are affected. BUPA Global has 1.4 million customers.
The company says it believes the information “has been made available to other parties,” adding that “This was not a cyber attack or external breach but a deliberate act by an employee.” Additional security measures and customer identity checks have been put in place and the FCA and UK regulators informed.
Healthcare organisations are highly attractive targets – they gather, share and store large volumes of highly sensitive personal data, from medical information to banking, insurance and other details. In a black market saturated with stolen credit card details and log-ins, medical records and insurance details – which can deliver a very rounded picture of the individual they belong to – represent a lucrative payday.
With so much emphasis on cyber-based threats, it’s easy to overlook the ones sitting in front of company systems: end users, malicious or otherwise. Verizon’s 2017 Data Breach Investigation Report indicates that two in every three healthcare-related breaches involve insiders and/or third parties.
Easy wins for businesses in any sector include more effective access management – proactively ensuring that employees who leave or more to different departments don’t retain unnecessary data access privileges, for example.
BUPA’s statement and further information is here.