Bupa data blooper
- By Paul Sullivan
Private healthcare company Bupa has been penalised by the Information Commissioner’s Office (ICO) for failing to have effective security measures in place to safeguard the personal data of 547,000 customers.
A rogue employee sent data reports, including the sensitive personal data of customers, to his personal email address between January and March 2017 before offering this information for sale on the ‘dark web’.
An ICO spokesman said:
Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it. Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.
The breach was brought to the attention of Bupa by an 'external partner' who saw the data being offered for sale online in June 2017.
A fine of £175,000 was imposed under the Data Protection Act 1998, although it should be borne in mind that the breach pre-dated the new regime of the General Data Protection Regulation and the Data Protection Act 2018.
What safeguards does your business have in place to ensure your customers' personal data is adequately protected?
For more information about this article, or any other aspect of our data privacy solutions, get in touch. There is no charge for initial informal advices.