Bupa's international health insurance arm was hit by a malicious act in its British office, putting the private information of almost 20,000 Australian customers in danger.
The company admitted on Friday that an employee had "inappropriately copied and removed some customer information" at its Bupa Global division, which provides international health insurance for frequent travellers or people who work overseas.
"The data taken includes: names, dates of birth, nationalities, and some contact and administrative details including Bupa insurance membership numbers," Bupa Global managing director Sheldon Kenton said.
The data was then "made available to other parties", he added.
"We are contacting those customers who are affected to apologise and advise them, as we believe the information has been made available to other parties."
A Bupa Australia spokesperson said that, among the 547,000 customers affected worldwide, 19,595 were believed to be Australians.
"It is important to point out that this was not a cyber attack or external data breach. It was deliberate act by an employee in the UK who had no access to customer data for the Bupa Australia Health Insurance business, which is kept on separate systems," the spokesperson said.
The company would be "taking appropriate legal action" against the responsible staff member, who had now been dismissed.
"We have introduced additional security measures and increased our customer identity checks. A thorough investigation is under way and we have informed the FCA and Bupa's other UK regulators," Mr Kenton said.
Customers who have been embroiled in the incident have policy numbers starting with "BI" and the BBC confirmed on Friday that the Information Commissioner's Office in Britain was making inquiries.
This story first appeared in Business Insider. Read it here or follow BusinessInsider Australia on Facebook.