International healthcare provider, BUPA, has admitted a breach of data protection rules over mishandling more than a hundred thousand customers’ personal information.
BUPA is understood to have lost the information by copying and deleting data, which is against company policy. The information lost included: Patient first and last names; patient dates of birth; patient nationalities; and patient contact information.
BUPA customers have been notified of the data breach. Whilst no medical nor financial information is thought to have been lost in this security incident, some customers may understandably be angry.
BUPA Statement
Sheldon Keating, managing director of BUPA said:
“We know that this will be concerning and I would like to personally apologise… Protecting the information we hold about you is our absolute priority and I am sorry that this has happened. We are taking this seriously and taking steps to address the situation.”
Unfortunately, similar words have been said many times before in previous breaches. If protecting information was such an “absolute priority”, why was more not done to have prevented this incident from happening?
Data protection expectations
When customers provide their contact information or personal information, they expect it to be kept safe. Companies need to make sure that all the personal information they have access to is kept safe and secure. This means that any third party – be it a hacker or an employee for the company – cannot maliciously nor accidentally create a data breach.
BUPA has clearly failed their customers given the lost data.
U.K. law
Under the U.K’s Data Protection Act, companies must only use their customers’ personal information for an authorised reason. Misusing personal information belonging to another can be a serious crime.
In this incident, BUPA ‘assures’ us there was no malicious intent, and the employee responsible for the breach has now been dismissed. BUPA explains they have introduced “additional internal security measures” in light of the incident; it’s just too bad they didn’t think of this earlier.
Why is data security still not a top priority?
A lot of companies seem to be rather indifferent to cybersecurity and only choose to upgrade systems when they have already been attacked or suffered a breach. Some organisations seem to have taken the risk that they might not suffer a data breach and then scramble to pick themselves up when one happens.
With so much information accessible via the internet and our constant access to the World Wide Web, data breaches are extremely common and will likely only increase if things are left the way they are.