Seems like BUPA wanted to outdo the NHS
at everything.
Healthcare firm Bupa suffered a data breach when an employee of its international health insurance division inappropriately copied and removed some customer information. People who have taken out international health insurance with the company were notified on Wednesday that the data taken includes "names, dates of birth, …
I am continually amazed that organizations allow mass access to data to anybody at all, even developers. Nobody can "accidentally" download data or "lose" a data disk containing tens of thousands of personal information nuggets if such access is impossible. At the very least, personal ID's should be hashed as soon as entered into the system so that their only function is to verify details given by the patient, and then only on a per-need basis. The only access should be on a single-record basis once ID is verified by the hash.
I suspect that most organizations do limit who has access to sensitive information but the problem is always someone will need to see the live data to do their jobs. The major weakness of any security system is the people who have legitimate, direct access to it. 'Inside jobs' whether deliberate or accidental will happen.