An employee "copied and removed" the personal information of more than 100,000 international health insurance plan customers from the systems of health insurer Bupa.
The data included names, dates of birth, nationalities, some contact and administrative information. No medical or financial data is at risk.
The now ex-staffer is believed to have made the information they have available to "other parties" too, according to a letter sent to the 108,000 international health insurance policy holders from Sheldon Kenton, managing director of Bupa Global, the firm's international health insurance division.
"We know that this will be concerning and I would like to personally apologise," Kenton said in the letter.
She said the company had introduced additional security measures and increased customer identity checks as a result of the breach.
"A thorough investigation is underway and we have informed the FCA and Bupa's other UK regulators. The employee responsible has been dismissed and we are taking appropriate legal action."
She said the firm has been in touch with UK data watchdog the Information Commissioner's Office (ICO) and the police.
The firm has not provided detail on which "other parties" may have access to the data, nor when the incident took place.
Security expert Graham Cluley said the data would allow criminals to phone customers posing as Bupa Global staff, sharing enough information about customers to persuade their victims to part with more valuable data.
"It's easy to imagine how someone vulnerable could get a phone call out of the blue, believe it's Bupa, and give the criminals valuable information," he said.