Update: the number of Australians affected was updated by Bupa Australia.
Bupa’s international health insurance arm was hit by a malicious act in its UK office, putting the private information of almost 20,000 Australian customers in danger.
The company admitted on Friday that an employee had “inappropriately copied and removed some customer information” at its Bupa Global division, which provides international health insurance for frequent travellers or people who work overseas.
“The data taken includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers,” said Bupa Global managing director Sheldon Kenton.
The data was then “made available to other parties”, Kenton added.
“We are contacting those customers who are affected to apologise and advise them as we believe the information has been made available to other parties.”
A Bupa Australia spokesperson told Business Insider that among the 547,000 customers affected worldwide, 19,595 were believed to be Australians.
“It is important to point out that this was not a cyberattack or external data breach. It was deliberate act by an employee in the UK who had no access to customer data for the Bupa Australia Health Insurance business, which is kept on separate systems,” the spokesperson said.
The company will be “taking appropriate legal action” against the responsible staff member, who has now been dismissed.
“We have introduced additional security measures and increased our customer identity checks. A thorough investigation is underway and we have informed the FCA and Bupa’s other UK regulators,” said Kenton.
Customers that have been embroiled in the incident have policy number starting with “BI” and the BBC confirmed on Friday that the Information Commissioner’s Office in the UK is making enquiries.