by Sam Boyer and Laura McQuillan
A global health insurer’s huge data breach by a rogue employee has highlighted the need for companies to protect themselves – both before and after a theft.
Last week, international health insurance giant Bupa confirmed an employee had stolen data
relating to 547,000 clients and was trying to sell it online.
This stolen data was exclusively from customers of Bupa Global, “which handles international health insurance, mainly for people who work overseas or travel on a regular basis,” managing director of Bupa Global, Sheldon Kenton, said last week.
Healthcare data is hugely popular among criminals, who sell the data on the Dark Web. In fact, excluding health insurance companies, this year in the United States alone there have been 176 data breaches “affecting 500 or more individuals” in the healthcare sector, according to the Department of Health and Human Services Office for Civil Rights.
This Bupa theft highlights a different risk for health insurers, one that can be difficult to guard against. In the past, customer data has more often been stolen by hackers – such as the enormous theft of Blue Cross Blue Shield data stolen from Anthem in 2015. In this case, it was a rogue employee who pilfered the data.
Data law expert Bradley Freedman, a partner at international law firm Borden Ladner Gervais, said lessons could be learned for companies of all types and sizes from this breach.
“This is an example of a business risk for all organizations, large or small, regardless of the industry, and there are lots of commonsense, low-cost, easy things that organizations can do to reduce the risk of this kind of an incident,” he said.
Mitigation measures include due diligence on employees and outsiders who will be accessing your organization’s systems – like contractors, suppliers and temp workers – to minimize the risk of them improperly accessing or stealing information.
However, technology – including restrictions on who can access what information – could be a company’s best defense.
“A business should organize itself and structure itself so employees have access to the data they need, but no more,” Freedman said. “You shouldn’t have one big network where everyone can access everything. It should be all be segregated and locked down, with technological measures that do that.”
Organizations’ systems should collect logs of who is accessing what information – and those should be reviewed periodically for red flags. Staff should also be trained on appropriate access, the consequences if they break rules and policies, and how to avoid inadvertent misconduct – as well as how to avoid being caught out by a phishing scam that could compromise the organization’s systems.
Freedman suggested companies also use multi-factor authentication for logins to prevent staff unwittingly handing over their username and password to scammers. And if a breach occurs, a company should have systems in place to minimize the risk, and prevent a full-scale disaster.
“It’s really a multidisciplinary thing – none of the stuff we’re talking about is an IT issue, it’s all an organization-wide risk-management problem,” Freedman said.
Nir Kossovsky, CEO of Steel City Re, which specializes in reputation insurance, said Bupa – by front-footing an apology to customers – had done what was “necessary” to momentarily assuage stakeholder concern.
“Reputation risk is the risk of leaving stakeholders disappointed and emotionally charged. A cyber breach [including employee theft of computer data] does not necessarily damage an institution’s reputation,” Kossovsky said.
In the same way that customers will not necessarily leave a bank following one bank robbery, the same would likely apply to an insurance company, he said.
“But if a bank’s security systems are not up to the challenge, customers will start doubting whether that is a safe place to keep their money,” he added. “And doubt, of course, is what reputation risk looks like.”
Major data breach strikes health insurer Bupa
The rise of ransomware: What should brokers know?