Bupa data blooper

  • By Paul Sullivan

Private healthcare company Bupa has been penalised by the Information Commissioner’s Office (ICO) for failing to have effective security measures in place to safeguard the personal data of 547,000 customers.

A rogue employee sent data reports, including the sensitive personal data of customers, to his personal email address between January and March 2017 before offering this information for sale on the ‘dark web’.

An ICO spokesman said:

Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it. Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.

The breach was brought to the attention of Bupa by an 'external partner' who saw the data being offered for sale online in June 2017.   

A fine of £175,000 was imposed under the Data Protection Act 1998, although it should be borne in mind that the breach pre-dated the new regime of  the General Data Protection Regulation and the Data Protection Act 2018.

What safeguards does your business have in place to ensure your customers' personal data is adequately protected?

For more information about this article, or any other aspect of our data privacy solutions, get in touch.  There is no charge for initial informal advices.

Get in touch
Bupa001
£175,000 fine imposed for data breach

Back to all posts

How can we help you?

Contact us today to arrange a free ‘no obligation’ meeting.

Subscribe to eBriefings

* indicates required

Please select how you would like to hear from us:


You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.