The data included names, dates of birth. nationalities, some contact and administrative information, and Bupa insurance membership numbers but no financial or medical data.
In total, 108,000 members with international policies were affected, among them 43,000 from the UK.
A statement from the company said it would be contacting the customers who were affected.
Commenting on the breach, Darran Rolls, chief technology officer and chief information security officer for identity governance vendor Sailpoint, said: “Unfortunately, there is no silver bullet solution to solve an employee error, but if companies take a layered approach that includes awareness and education alongside preventive and detective controls they will be much more secure.
“From an IT perspective, empowering users to work how they want requires a delicate balance between convenience and controls. Getting the balance wrong can result in both unhappy users and a host of new security vulnerabilities.
"The easiest answer is to simply lock everything down, however, policies that restrict access to cloud applications or limit their use via mobile and desktop control solutions are no longer an option for organisations looking to innovate and enable the agility required to win in business today.
“Instead, businesses should embrace the end user’s desire to be productive. IT needs to facilitate controls with a balance of enhanced user access and new IT visibility and controls."