In a major breach of privacy, customer data—including sensitive medical records—from India’s largest health insurer, Star Health, is now publicly available via chatbots on Telegram.
Personal data of over 31 million customers of Star Health and Allied Insurance Company has allegedly been sold by a senior official, according to a UK-based cybersecurity researcher. The information includes mobile numbers, addresses, and medical conditions. Star Health has not responded to queries regarding these claims but has warned customers about potential fraudulent activities.
The UK researcher, Jason Parker, revealed on Friday that a hacker named xenZen published a website displaying sample data from Star Health. This includes an email exchange with a top official managing the company’s digital network. “I am leaking all Star Health India customers and insurance claims sensitive data. This leak is sponsored by Star Health and Allied Insurance Company, who sold this data to me directly,” xenZen claimed.
Star Health and Allied Insurance, valued at over $4 billion, confirmed to Reuters that they have reported unauthorised access to local authorities. They stated that their initial assessment found “no widespread compromise” and that “sensitive customer data remains secure.” However, Reuters managed to download numerous policy and claims documents through the chatbots, raising serious concerns about data security.
The hacker has set up Telegram bots to access data of 31,216,953 customers updated until July 2024 and 5,758,425 claims available until early August.
This is not the first time the breach has happened. Back in December 2022, Star Health reported a cyber fraud incident. On March 23, 2023, they informed BSE about unauthorized access to their mobile application during a regular assessment.
