Data breach at health insurer Bupa affects 500,000 customer records after “deliberate act” by rogue employee

Global health insurance provider Bupa has been left red-faced after a disgruntled UK employee leaked over 500,000 customer data records in a “deliberate act”, leading experts to warn businesses to assess what data their employees have access to.

In a statement to SmartCompany, a spokesperson for Bupa confirmed 547,000 customer records had been leaked by the employee, but said the data did not contain any financial information.

Though the employee did not have any access to the Bupa Australia health insurance data, approximately 20,000 Australian customers of Bupa Global have been affected.

“It is important to point out that this was not a cyber attack or external data breach. It was deliberate act by an employee in the UK who had no access to customer data for the Bupa Australia Health Insurance business, which is kept on separate systems,” the spokesperson said.

“The data does not include financial or medical data, however our Bupa Global team ( based in the UK) is taking this incident very seriously and has been contacting affected international health insurance customers.”

In a further statement on the company’s website, Bupa Global’s managing director Sheldon Kenton clarified the employee had “inappropriately copied and removed some customer information” and the company was taking legal action.

Concerns have been previously raised about what information employees might have from company databases that could be passed on to third parties. For example, last year saw a dispute between online fashion retailers Showpo and Black Swallow over allegations a former employee of Showpo passed the data of 300,000 customers upon starting a new job at Black Swallow.

Security expert at Sense of Security Michael McKinnon told SmartCompany while  allegations of staff members stealing data do happen, these cases are often dealt with through the courts and rarely heard by the public.

However, with the introduction of the government’s Notifiable Data Breaches Bill, set to come into effect next February for companies with more than $3 million in turnover, McKinnon is concerned some businesses may have to do more in future if someone is found to have accessed databases they shouldn’t.

“At the moment, businesses can just sweep an issue like this under the carpet, threaten the employee with legal action, and deal with it without any obligation to report it,” he says.

“But from February next year, companies will be forced to assess if leaked data could represent a serious harm to anyone, and if it does, report it…And then it becomes a whole other kettle of fish.”

McKinnon notes these issues can arise even in situations where employees are not acting in a malicious way, using the example of a lost laptop or phone with business data on it as something that would potentially need to be reported.

“This will become part and parcel for the information security of any business, and business owners need to understand and appreciate the ability to lose data through any number of means,” he says.

For businesses looking to lessen the potential of a situation such as Bupa’s occurring, McKinnon advises working off the “principle of least privilege”.

“Any data anyone has access to in the business needs to be the very least amount they need to do their job. If you start to give more privilege than needed, that’s where you open yourself up to potential exposure,” he says.

“There’s also a broader issue of looking at how you treat staff, because employees will take actions like this if they feel cornered or if they feel like they have no other choice.”

Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on Twitter, Facebook, LinkedIn and Instagram.