Sensitive customer data, including medical records, from India’s largest standalone health insurer, Star Health & Allied Insurance, has reportedly been made accessible through chatbots on Telegram, according to a Reuters report.
The news agency stated that the purported creator of the chatbots informed a security researcher that private details of millions of individuals were for sale, and samples could be accessed simply by interacting with the chatbots.
Star Health did not respond to FE’s email seeking comments on the data breach or the measures it has implemented to safeguard consumer data and prevent future incidents.
However, the Reuters report noted that the Chennai-based health insurance company issued a statement saying its initial assessment indicated “no widespread compromise” and that “sensitive customer data remains secure.”
Star Health is the country’s largest standalone health insurer, with a gross direct premium income of ₹15,039.33 crore in FY24, accounting for 46% of the standalone health insurance industry. According to its FY24 Annual Report, the company has covered 171 million lives since its inception.
According to the Reuters report, the chatbots reportedly allowed users to download policy and claims documents containing names, phone numbers, addresses, tax details, copies of ID cards, test results, and medical diagnoses.
The news agency quoted UK-based security researcher Jason Parker, who noted that the Star Health chatbots feature a welcome message stating they are “by xenZen” and have been operational since at least August 6. Parker mentioned that he posed as a potential buyer on an online hacker forum, where a user under the alias xenZen claimed to have created the chatbots and possessed 7.24 terabytes of data related to over 31 million Star Health customers. “The data is free via the chatbot on a random, piecemeal basis, but for sale in bulk form,” he added.
On August 14, Star Health informed exchanges that it received emails from an unidentified person claiming to have unauthorized access to some claims data. “Our cybersecurity team is already investigating the matter and simultaneously a police complaint has been filed,” it added.
However, Star Health has not provided updates on the investigation’s status or made any disclosures to the exchanges regarding the Reuters story at the time of filing this story.
