Bupa Suffers Data Breach

Written by

Bupa, the international healthcare group with a presence in 190 countries, has been stung by a data breach, after an employee inappropriately copied and removed information from one of the company’s systems.

The data includes the names, dates of birth and nationality of customers, as well as some contact and administrative information such as membership numbers. 

In a video posted online, Shelton Kenton, the managing director of Bupa Global, the company’s health insurance division, said that the information does not include any financial or medical data. 

“The data comes from one particular part of Bupa, Bupa Global which handles international health insurance, mainly for people who work overseas or travel on a regular basis. To be clear this does not affect Bupa’s other businesses such as Bupa Australia, Bupa Chile and Bupa UK,” he said.

The data breach does not affect customers with domestic health insurance.

Kenton explained that the company had been in touch with affected customers (108,000 international health insurance customers) and had introduced additional security measures. He added that Bupa had informed the UK Financial Conduct Authority (FCA) and Bupa’s other regulators, and that an investigation was also underway.

Mark James, security specialist at IT security company ESET, said that while there was a clear indication of what was and what was not stolen, the data could still be used in an attempt to scam or phish other details from customers. 

James suggested that customers are more likely to fall victim to phishing in this instance because an e-mail could include their full name and membership details. 

“If you are contacted by phone or email then double check with the sending organization before further communication is made,” he said. 

Bupa has advised its customers to: be suspicious of anyone who asks for bank account or credit card details, double-check e-mail addresses of the sender and not download or let anyone log on to their computer or device remotely as a result of an unsolicited call – even if they claim to be calling from Bupa or another company that is known to the customer.

What’s hot on Infosecurity Magazine?