Bupa has admitted to a massive data breach after customer information was copied and deleted in a violation of rules.
The security incident occurred after an employee copied and deleted the details of 108,000 customers with international health plans. The tampered with data included names, dates of birth, nationalities and some contact details.
The company said no medical or financial data was lost and that it is alerting customers whose information had been affected.
It warned customers that their “policy information has been inappropriately copied and removed” and that they should be suspicious of fraudsters who might try and use the details for financial gain.
“We know that this will be concerning and I would like to personally apologise,” the letter said. “Protecting the information we hold about you is our absolute priority and I am sorry that this has happened. We are taking this seriously and taking steps to address the situation.”
Bupa assured customers it hadn’t suffered from a cyber attack and said a rogue employee was to blame.
“This was not a cyber attack or external data breach, but a deliberate act by an employee,” the company said.
Bupa has fired the employee responsible for the problem. It said it is investigating the issue and has added additional security measures in the mean time.
“A thorough investigation is under way and we have informed the Financial Conduct Authority and Bupa’s other UK regulators,” said Sheldon Kenton, managing director of Bupa. “The employee responsible has been dismissed and we are taking appropriate legal action.”