The penalty was imposed on Bupa Insurance Services Limited by the Information Commissioner's Office (ICO).
The watchdog said that, between January and March 2017, a Bupa employee was able to extract the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web.
The employee, who was later dismissed, accessed the information via Bupa's customer relationship management system, known as Swan, which holds records relating to 1.5 million people.
The employee sent bulk data reports to his personal email account and the compromised information, which included names, dates of birth, email addresses and nationality, was later offered for sale on the dark web, the ICO said.
ICO director of investigations Steve Eckersley said: "Bupa failed to recognise that people's personal data was at risk and failed to take reasonable steps to secure it.
"Our investigation found material inadequacies in the way Bupa safeguarded personal data. The inadequacies were systemic and appear to have gone unchecked for a long time. On top of that, the ICO's investigation found no satisfactory explanation for them."
Bupa was alerted to the breach in June 2017 by an external partner who spotted customer data for sale.
Bupa and the ICO received 198 complaints about the incident.
The ICO said its investigation found that, at the time, Bupa did not routinely monitor Swan's activity log. Bupa was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data.
Failing to keep personal data secure is a breach of the Data Protection Act 1998.
A spokeswoman for Bupa Global said: "We accept this decision by the ICO and have co-operated fully with its investigation.
"We take our responsibility for protecting customer information very seriously.
"We have since introduced additional security measures to help prevent the recurrence of such an incident, reinforced our internal controls and increased our customer checks."