Sign in / up

back to article Bupa: Rogue staffer stole health insurance holders' personal deets

Healthcare firm Bupa suffered a data breach when an employee of its international health insurance division inappropriately copied and removed some customer information. People who have taken out international health insurance with the company were notified on Wednesday that the data taken includes "names, dates of birth, …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. JimmyPage Silver badge
    Coat

    Seems like BUPA wanted to outdo the NHS

    at everything.

    7 1 Reply
  2. m0rt

    It is amazing just how many firms, who come clean about data breaches, happen to be in the middle of a security upgrade.

    Just goes to show how excellent their board are to steer the company right just as it is needed.

    4 0 Reply
  3. Daedalus

    Boggled

    I am continually amazed that organizations allow mass access to data to anybody at all, even developers. Nobody can "accidentally" download data or "lose" a data disk containing tens of thousands of personal information nuggets if such access is impossible. At the very least, personal ID's should be hashed as soon as entered into the system so that their only function is to verify details given by the patient, and then only on a per-need basis. The only access should be on a single-record basis once ID is verified by the hash.

    11 0 Reply
    1. a_yank_lurker
      Reply Icon

      Re: Boggled

      I suspect that most organizations do limit who has access to sensitive information but the problem is always someone will need to see the live data to do their jobs. The major weakness of any security system is the people who have legitimate, direct access to it. 'Inside jobs' whether deliberate or accidental will happen.

      6 0 Reply
      1. Daedalus
        Reply Icon

        Re: Boggled

        Access to sensitive info is one thing. Mass access is quite another. It all seems to come down to either "reporting" or "mail shots". The first needs to be tightly controlled, the second tossed out.

        3 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Boggled

      Talking from experience of said company.

      Giving staff read only ODBC connections to production databases was not a good idea even if they had to send out a mailshot.

      2 0 Reply
      1. Korev Silver badge
        Reply Icon

        Re: Boggled

        If the DBAs granted each group of users access to a single view with a subset of anonymised data then ODBC access could be reasonably secure.

        0 0 Reply
        1. phuzz Silver badge
          Reply Icon
          Happy

          Re: Boggled

          But then how do you prevent a DBA from copying the data?

          Well obviously you pay all your IT staff loads of money, so that they have no incentive to steal. There, problem solved :)

          2 0 Reply
  4. John Smith 19 Gold badge
    Unhappy

    "the matter had become the subject of a police investigation. "

    Wow, a data breach that's actually got the cops involved.

    They seem to be about as common as rocking horse droppings (but if we're honest they should be a lot more common).

    5 1 Reply
    1. Korev Silver badge
      Reply Icon

      Re: "the matter had become the subject of a police investigation. "

      Full marks to BUPA for coming clean and notifying the affected people. Getting the cops involved would possibly lower the chance of a company 'fessing up to this kind of breach. I guess there are no right answers here.

      3 0 Reply
  5. Doctor Syntax Silver badge

    "Data breaches provide a distribution hub for malware for years to come."

    Quick, at least partial solution to that: change email address. It then requires another leak somewhere to get the new one. And far easier if the original was bupa@mydomain - just change it to oops@mydomain.

    1 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    No email for me

    I'm a customer of BUPA Global and didn't get an email which suggests that not all of the data was leaked.

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: No email for me

      or that despite the delay before announcing this they haven't completely identified everyone involved.

      1 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: No email for me

      I have not been a customer of BUPA for several years but I received such an email on Friday evening.

      1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like