A Bupa employee inappropriately copied and removed customer information relating to around 108,000 international health insurance plans, the company has said.
The data included names, dates of birth, nationalities, some contact and administrative information but not financial or medical data.
The private healthcare company said it is contacting people who were affected.
It added that protecting customer information was “an absolute priority”.
In an online statement, Bupa explained that the insurance plans in question belonged to customers whose policy numbers begin with “BI”.
Customers with domestic health insurance have not been affected, but UK customers could be if they purchased plans for use abroad.
“A thorough investigation is under way and we have informed the FCA [Financial Conduct Authority] and Bupa’s other UK regulators,” said Sheldon Kenton, managing director of Bupa Global.
“The employee responsible has been dismissed and we are taking appropriate legal action.”
The Information Commissioner’s Office said that it is aware of an issue involving Bupa Global and is making enquiries.
Victims of the breach should look out for signs of identity theft, said Paul Edon at security software firm Tripwire.
For example, scam emails might use data from the breach to trick the recipient into thinking they are being contacted on legitimate grounds.
“Unfortunately, humans are the weakest link in security,” he added.
“Despite many of us being trustworthy, there are some insiders that break and damage that trust.”