Data security breach investigated
A leading local insurance company has confirmed that personal client data was accidentally released to unauthorised recipients, but said it did not include personal health or financial information.
CG Insurance confirmed to The Royal Gazette that an employee “inadvertently and mistakenly” shared information containing personal client data to third-party recipients and that it has since reported the incident to regulators as required by law.
The company said it became aware of the incident, which involved members of its wellness programme, on April 6. It did not disclose how many clients were involved.
A CG statement said: “We regret the alarm and concern this incident has caused our members.
“The foundation of our work is trust, which requires continuing vigilance and action to ensure that the interests of our clients in all circumstances are protected.”
The news comes as the long-time Bermuda insurer just this week announced its 100 per cent purchase of Massy United Insurance Ltd of Barbados.
The deal expands CG’s presence in the Caribbean, adding 14 new markets in which it operates under the name CG United.
Last month’s accidental data exposure triggered an immediate and thorough investigation across all of CG owner Coralisle Group’s companies.
Executives said their enquiries concluded the following:
• The personal data shared included the respective names, date of birth, gender, employee number, place of employment and country of wellness programme members
• There was no evidence that personal health information, payment information, or e-mail addresses had been shared
• There was nothing found that would result in any negative impact nor would it be likely to prejudice the rights and freedoms of the individuals involved
• The inadvertently shared data was deleted by the third-party recipients.
CG said: “As a result of its investigation, CG Insurance adopted group-wide measures to prevent a recurrence of the incident and to further protect the privacy of its clients.
“Those measures included the introduction of additional protocols governing data sharing, the implementation of multi-check technical requirements for certain communications and increasing controls around employee access to client information.”
CG said it contacted all client company administrators to inform them of the investigation and the adoption of measures to further protect client data. They asked clients to notify their employees.