A Bupa employee inappropriately copied and removed information relating to 547,000 international health insurance plan customers, the company has said.
The data included names, dates of birth, nationalities, some contact and administrative information but not financial or medical data.
The private healthcare firm said concerns were first raised about a breach in June.
It is now contacting affected customers.
In an online statement, Bupa explained that data relating to 108,000 international insurance plans were taken and that these belonged to customers whose policy numbers begin with “BI”.
Customers with domestic health insurance have not been impacted, but British customers could be if they purchased plans for use abroad.
Bupa said that 43,000 of the customers had a correspondence address in the UK.
“A thorough investigation is under way and we have informed the FCA [Financial Conduct Authority] and Bupa’s other UK regulators,” said Sheldon Kenton, managing director of Bupa Global.
“The employee responsible has been dismissed and we are taking appropriate legal action.”
The Information Commissioner’s Office said that it is aware of an issue involving Bupa Global and is making enquiries.
Victims of the breach should look out for signs of identity theft, said Paul Edon at security software firm Tripwire.
For example, scam emails might use data from the breach to trick the recipient into thinking they are being contacted on legitimate grounds.
“Unfortunately, humans are the weakest link in security,” he added.
“Despite many of us being trustworthy, there are some insiders that break and damage that trust.”