Home / News & Resources / News & Updates / Has the Bupa data breach put your privacy at risk?

Has the Bupa data breach put your privacy at risk?

  • Posted on

Last month, Bupa was fined £175,000 by the Information Commissioner's Office (ICO). The latest data breach fine handed out by the regulator came after a rogue Bupa employee inappropriately copied and removed customer information to sell on the dark web.

A subsequent investigation by the ICO found that the health insurance provider failed to have adequate security measures in place to protect its customers' personal information.

547,000 Bupa Global customers were affected, and 43,000 of those customers had a correspondence address in the UK.

If you are a Bupa customer whose data was put at risk, you should now consider a data breach compensation claim.

What happened in the Bupa data breach case?

Between 6 January and 11 March 2017, a Bupa employee stole the personal information of 547,000 Bupa customers and offered it for sale on the dark web. The member of staff extracted information from Bupa's customer relationship management system and sent to this to his personal email account.

The compromised information included names, dates of birth, email addresses and nationality.

Bupa was alerted to the breach by an external partner who spotted customer data for sale. The advertisement on the dark web said:

"DB [database] full of 500k+ Medically insured persons info from a well-known international blue chip Medical Insurance Company. Data lists 122 countries with info per person consisting of Full name, Gender, DOB, Email Address plus Membership Details excluding CC Details"

Bupa informed the ICO that its data had been compromised and an investigation was launched. The employee was dismissed, and the police told about the crime.

What was the result of the Bupa data breach investigation?

Commenting on the Bupa data breach, ICO Director of Investigations, Steve Eckersley, said:

"Bupa failed to recognise that people's personal data was at risk and failed to take reasonable steps to secure it.

"Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO's investigation found no satisfactory explanation for them."

The investigation also uncovered that Bupa's systems put 1.5 million records at risk.

Bupa has been fined £175,000 for the data breach. But, due to the timings of the offence, the case was not dealt with under the new GDPR. The current data protection laws allow the ICO to hand out much more substantial fines so it could be argued that Bupa got away lightly.

What should you do now?

Bupa has said that it has contacted all affected customers. And, if you have suffered damage or distress caused by Bupa's breach of the Data Protection Act, you have a right to claim compensation.

You can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

Being the victim of a crime can have a substantial impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. So you should seek compensation for a failure to look after your information correctly.

How much compensation could you get for the Bupa data breach?

At Hayes Connor Solicitors we have already been contacted by Bupa customers distressed that their personal information was not looked after as carefully as it should be.

And, because we've been helping people to get the compensation they deserve for over 50 years, we know what it takes to make a successful data breach claim.

Data breaches often have severe consequences for those affected, and in this case, you could be entitled to around £1,500 (or more depending on your circumstances). And, because we offer no-win, no-fee funding arrangements, you have nothing to lose.