The UK's Information Commissioner's Office has fined Bupa £175,000 after an investigation found the health insurer failed to have "effective security measures in place to protect customers' personal information" in the wake of a massive breach that saw a rogue employee extract data and put it up for sale on the dark web.
The employee accessed the sensitive information of 547,000 global customers – including almost 20,000 Australians – during January and March 2017 through Bupa's customer relationship management system, SWAN. At the time, the repository stored records relating to 1.5 million people and was used to manage claims under customers' international health insurance policies.
The employee sent "bulk data reports" to his personal email account, according to the UK regulator, including information on names, dates of birth, nationality and email addresses.
An external partner spotted the records for sale on a popular dark web site reported to have had more than 400,000 users - it was shut down by US authorities in July last year.
According to information released by the ICO, the advertisement for the data read:
"DB [database] full of 500k+ Medically insured persons info from a well-known international blue chip Medical Insurance Company. Data lists 122 countries with info per person consisting of Full name, Gender, DOB, Email Address plus Membership Details excluding CC Details."
The ICO found that Bupa was not "routinely" monitoring the SWAN activity log and was unaware of an error in the system that meant they were unable to spot unusual activity, such as the extraction of large amounts of data.
[Read more: Rogue employee causes massive data breach at Bupa Global, with 20,000 Australians caught up in the leak | “Yet another wake-up call”: Privacy Commissioner releases new data breach report, with health sector top of the list]
The watchdog said its investigation uncovered "systemic failures in Bupa's technical and organisational measures".
"Bupa failed to recognise that people's personal data was at risk and failed to take reasonable steps to secure it," ICO Director of Investigations Steve Eckersley said.
"Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO's investigation found no satisfactory explanation for them.”
The employee has since been dismissed and UK police have issued a warrant for his arrest.
The ICO said the incident was dealt with under the Data Protection Act 1998 and not the General Data Protection Regulation and 2018 Act replacing it in May this year due to the timing of the breach.
A representative for Bupa Global said in a statement:
"We accept this decision by the ICO and have cooperated fully with its investigation. We take our responsibility for protecting customer information very seriously. We have since introduced additional security measures to help prevent the recurrence of such an incident, reinforced our internal controls and increased our customer checks."
Meanwhile, the ICO has released guidance on how to keep IT systems safe and secure, looking at computer, email and fax security and staff training.
Originally published on Mobihealthnews UK, a sister publication of HITNA.