Bupa, a London-based international healthcare group, will notify customers a former employee inappropriately removed customer information from the company, Bupa Global Managing Director Sheldon Kenton wrote in a July 13 statement.
A former employee of the company's international health insurance division, called Bupa Global, reportedly copied and removed customer information related to around 108,000 policies. These policies comprised roughly 547,000 affected customers, according to International Business Times.
The removed information — which includes names, dates of birth and nationality — affects current and former customers with international private health insurance with a policy number that begins "BI." The compromised information does not include financial or medical data.
The affected information was reportedly made available for purchase online, including one listing posted on a "dark web" marketplace in June, according to International Business Times. However, it is unclear if the employee who allegedly stole the information posted it.
"We are contacting those customers who are affected to apologize and advise them as we believe the information has been made available to other parties," Mr. Kenton wrote. He added Bupa informed relevant regulators in the United Kingdom and an investigation is underway.
Bupa also dismissed the employee reportedly responsible for the breach. "This was not a cyberattack or external data breach, but a deliberate act by an employee," Mr. Kenton wrote. "We have introduced additional security measures and increased our customer identity checks."