Bupa employee stole half a million customers’ health insurance data

A rogue Bupa employee has stolen personal customer data from the health insurance giant, leaving more than half a million people compromised.

Bupa Global revealed that one of its staff members had taken international health insurance information affecting 547,000 people.

On 13 July, Sheldon Kenton, managing director of Bupa Global released a statement saying an employee had “inappropriately copied and removed some customer information from the company”.

The data included names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers.

Financial details and medical information were not taken.

The stolen information can be used by criminals for spear-phishing attacks and scams.

The unnamed staffer has been dismissed, and a Bupa spokesperson confirmed that the police and Information Commissioner’s Office (ICO) has been informed.

“Protecting the information we hold about our customers is an absolute priority and I would like to assure customers that we are treating this seriously and taking steps to address the situation”, Kenton said.

“This was not a cyber-attack or external data breach, but a deliberate act by an employee.”

Bupa Global has 1.4 million international health insurance customers, and the theft affected 108,000 policies.

Eerke Boiten, professor of cybersecurity at De Monfort University, told Digital Health News that the level of detail of on what information was taken suggests the company has “stronger protection in place for both financial and medical information than for the basis contact information that was leaked now”.

Boiten said these attacks can be defended by making sure employees do not have access to more information than necessary, and by ensuring that data does not leave the organisation in bulk.

“Maybe Bupa have been relatively lucky that it was an employee with only limited access who “went rogue”. The data can be used for identity theft and spear phishing attacks, even if it seems relatively innocuous like this.”

“But I doubt that any gain the employee could have gained from this would have been worth it in relation to the (now materialised) risks of losing their job and legal action.”

Bupa have said a thorough investigation is now underway, and that affected policy holders are being contacted.

In January the ICO revealed that health data breaches were on the rise over the preceding three months with 65 incidents reported when unencrypted devices, such as USB drives or laptops, carrying health data were stolen or misplaced.

According to Phil Booth, co-ordinator of privacy campaign group, MedConfidential, this was a deliberate act by someone looking to make money.

Booth told Digital Health News that he “welcomed BUPA’s transparency on this problem”.

The company’s openness on the issue stands in contrast to US company, Landauer, who suffered a hack that compromised the privacy of thousands of NHS staff at all nine health boards and trusts in Wales, and thousands of NHS England staff.

The data breach occurred in October last year, but trusts and health boards affected were not informed until January 2017.

Dan Sloshberg, cyber resilience expert at cybersecurity company, Mimecast, said on the Bupa incident that “customers must now be alerted to the risks of follow-up spear-phishing attacks using this stolen data to carefully craft attack emails or conduct fraudulent phone calls”.

Bupa has provided information on how to protect customers from phishing on its website.