Private healthcare company Bupa has been penalised by the Information Commissioner’s Office (ICO) for failing to have effective security measures in place to safeguard the personal data of 547,000 customers.

A rogue employee sent data reports, including the sensitive personal data of customers, to his personal email address between January and March 2017 before offering it for sale on the ‘dark web’.  

An ICO spokesman said:  

Bupa failed to recognise that people’s personal data was at risk and failed to take reasonable steps to secure it. Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO’s investigation found no satisfactory explanation for them.

The breach was brought to the attention of Bupa by an external partner who saw the data being offered for sale online in June 2017.   

A fine of £175,000 was imposed under the Data Protection Act 1998, although it should be borne in mind that the breach pre-dated the new regime of  the General Data Protection Regulation and the Data Protection Act 2018.  

What safeguards does you business have in place to ensure your customer’s personal data is adequately protected?

By Paul Sullivan FRSA

Creating unique, engaging content for your law firm clients