The employee, who worked for the Bupa Global division, was found to have illegally copied and removed private company data from over 100,000 policyholders and shared it with third parties.

The stolen information included dates of birth, nationalities and contact details.

But while the employee responsible has now been dismissed and legal action is being taken, his actions leave potentially hundreds of Jersey people wide open to identity theft, with numerous island workplaces signed up to healthcare schemes with the private insurance provider.

RBC is one of the affected companies to have come forward so far.

RBC_letter.jpeg

Pictured: An extract of the letter received by affected RBC employees in Jersey.

In a letter, past and present employees signed up to RBC’s insurance plan between February 2009 and January 2011 were told that their personal information had been compromised.

Financial and medical information was said to “remain secure”, but those in receipt of the letter were nonetheless warned to, “…remain vigilant and treat any unexpected communications received with extreme caution.” 

The breach has since generated concern. “What else can be misused by third partners?” one affected former employee asked. 

A spokesperson for RBC told Express: “RBC is closely following BUPA’s ongoing investigation and is working with them to understand the details of the breach. We take the security of all employee data very seriously and regret that this situation has impacted some of our current and former employees.”

Video: Sheldon Kenton, Managing Director of Bupa Global, explained the situation in a video.

Other firms are also at risk across both Jersey and Guernsey, Express understands, but Bupa has refused to comment on the extent to which the Channel Islands have been affected.

Since learning of the breach, Bupa Global Managing Director Sheldon Kenton assured customers that protecting their information is an “absolute priority.”

“This was not a cyber attack or external data breach, but a deliberate act by an employee. We have introduced additional security measures and increased our customer identity checks. A thorough investigation is underway and we have informed the FCA and Bupa’s other UK regulators. The employee responsible has been dismissed and we are taking appropriate legal action,” he said.

The company have since issued the following advice:

  • Be suspicious of anyone who asks for your bank account or credit card details.
  • Double-check email addresses. This means looking beyond the sender name, by checking the address of the email account.
  • Do not download software or let anyone log on to your computer or device remotely as a result of an unsolicited call, even if they claim to be calling from Bupa or another company you know.
  • Before disclosing personal information online, make sure you know who you are dealing with.
  • If in doubt, don’t open emails or attachments.
  • Stay in control – have the confidence to refuse an unusual request for information.
  • Don’t be rushed – a genuine organisation won’t mind waiting to give you time to stop and think.