Second healthcare data breach in under a week

Bupa employee responsible for removing information relating to 547,000 international health insurance plan customers

Just a week after Building Better Healthcare reported how a private firm lost more than 700,000 items of NHS medical correspondence; it has been revealed that a data breach by private medical giant, Bupa, could affect a further 50,000 people.

A National Audit Office probe found that at least 1,788 patients suffered potential harm as a result of NHS Shared Business Services – a joint venture between the Department of Health and Sopra Steria – losing the results of blood tests and scans informing doctors that patients had cancer and other serious medical conditions.

Although people tend to associate breaches with hackers; the truth is that many data breaches involve people inside work

And, just days later, it has been reported that a Bupa employee inappropriately copied and removed information relating to 547,000 international health insurance plan customers.

The data included names, dates of birth, nationalities, some contact and administrative information, but not financial or medical data, Bupa admitted.

The private healthcare firm said concerns were first raised about a breach in June. It is now contacting affected customers.

In a statement Bupa explained that data relating to 108,000 international insurance plans were taken and that these belonged to customers whose policy numbers begin with ‘BI’.

Customers with domestic health insurance have not been impacted, but British customers could be if they purchased plans for use abroad.

Bupa added that the employee responsible had been dismissed and it was taking ‘appropriate legal action’ against them.

The Information Commissioner's Office said it is aware of an issue involving Bupa Global and is making enquiries.

Commenting on the latest scandal, Dan Sloshberg, a cyber resilience expert at Mimecast, said: “The digital transformation of healthcare is at risk unless cybersecurity is taken more seriously.

“Bupa customers must now be alerted to the risks of follow-up spear-phishing attacks using this stolen data to carefully craft attack emails or conduct fraudulent phone calls.

”After WannaCry, WhatsApp and SnapChat fears, healthcare organisations absolutely must improve how they establish, build and maintain customer trust.”

Itsik Mantin, director of research at Imperva, added: "Although people tend to associate breaches with hackers; the truth is that many data breaches involve inside work, as was this breach which happened, according to Bupa, by an employee.

“As we’ve seen in past high-profile cases, data breaches caused by careless, malicious or compromised insiders are real and serious.

Businesses can employ solutions, especially those based on machine learning technology that can process and analyse vast amounts of data, to help them pinpoint critical anomalies that indicate misuse of enterprise data and that also help them to quickly quarantine risky users to prevent and contain data breaches pro-actively

“Because the problem begins with users that have legitimate access to enterprise data, attacks from the inside can be present for long periods of time before finally being detected. What’s more, costs associated with loss of data can run in the millions and lead to customer loss, brand damage, and stock price decline.

“To mitigate the risk, organisations should ask themselves where their sensitive data lies and invest in protecting it.

“Businesses can employ solutions, especially those based on machine learning technology that can process and analyse vast amounts of data, to help them pinpoint critical anomalies that indicate misuse of enterprise data and that also help them to quickly quarantine risky users to prevent and contain data breaches pro-actively."

Click here to read last week's breach article.

Companies