Star Health data leak: What recourse do policyholders have?

The company suffered a serious hacking episode last month in which a hacker using the alias “xenZen” created a Telegram website and chatbots to leak its policyholders’ sensitive personal data of names, phone numbers, email IDs, addresses to financial and health information.

The hacker said Star Health’s chief information security officer Amarjeet Khanuja sold him the data and made it public only when Khanuja sought more money than previously decided.

Star Health said Khanuja has cooperated with the investigation and no wrongdoing has been found so far.

About 7.24 terabytes of data has been compromised, affecting 31 million customers.

“A thorough and rigorous forensic investigation is underway, led by independent cyber security experts, and we are working closely with the government and regulatory authorities at all stages of this investigation, including duly reporting the incident to insurance and cybersecurity regulatory authorities, in addition to filing a criminal complaint,” Star Health said in a media release.

Read also: Star Health Data Breach: Scope for Mammoth Scams Amid Few Legal Resources?

CloudSEK, a Bengaluru-based data security firm, said the involvement of the CISO and other executives appears fabricated. According to CloudSEK, the threat actor shared two simultaneous chats: on the left, an anonymous TOX messaging platform, and on the right, emails purportedly from official Star Health accounts.

However, CloudSEK noted that this could be easily spoofed using a simple “inspect element” trick to alter the HTML, making the emails appear to come from legitimate sources.

“Based on the information available, we can verify with high confidence that the threat actor has data originating from Star Health Insurance. However, the involvement of the CISO and other executives appears highly improbable and fabricated, ie- at the very least,” he added. .

However, the very fact that the data breach occurred raises questions about Star Health’s data security protocols.

What should policyholders do?

Star Health has assured its customers and partners that it has implemented robust security measures. The company has also sought legal action, with the Madras High Court ordering third parties to restrict access to the leaked information.

“We want to emphasize that any unauthorized acquisition, possession or dissemination of customer data is illegal. We urge all platforms, hosting companies, social media channels and users to take swift and decisive action to stop these activities and comply the orders of the High Court,” the company said.

When it comes to leaked information, there is little a policyholder can do. Experts advise them to pay attention to every call and message they receive to avoid further problems. Be wary of spam calls, unauthorized transactions, or suspicious account logins.

“Policyholders should immediately change passwords for all key accounts, especially banking, e-commerce and healthcare applications, to mitigate the risk of additional unauthorized access. Opting for a more secure password, in addition , enabling two-factor authentication whenever possible will provide an additional layer of protection,” said Neha Anand, vice president and head of cyber at Prudent Insurance Brokers.

Borrowers can also take proactive steps to protect their financial accounts through credit freezes or fraud alerts, he added.

Can policyholders take legal action?

While legal recourse is an option, proving damages stemming directly from a data breach can be complex, Anand said.

“If policyholders observe misuse of their data related to the breach, they should not hesitate to escalate the issue to regulatory authorities. Staying vigilant, informed and proactive is the best way to safeguard a policyholder’s interests in these scenarios.”

Read also: Star Health Insurance under cyber attack, says operations unaffected even after data breach

Is it time to switch your policy to another insurer?

Many policyholders are thinking about it. The recent data breach has only added to their worries. Frequent stories of claim rejections circulating on social media are also worrying.

The reasons for the rejection of the claim range from unnecessary hospitalizations to discrepancies in the documentation. In fact, some hospitals in Ahmedabad have blacklisted Star Health because of the complicated claims settlement process, said Aditya Shah, medical insurance expert and CFA charter holder.

For current Star policyholders, portability to another insurer should be carefully considered. Shah advises that younger policyholders or those with less stringent terms and conditions may consider portability. However, for seniors or those with pre-existing conditions, the subscription process can be complicated. Shah stresses that if Star Health wants to retain its customers, it needs to seriously reevaluate and improve its claims settlement experience.

Also Read: Health Insurance: Top Up Vs. supercharger: which one is right for you?

It should be noted that there is no guarantee that a new insurer will not present its own set of challenges.

“It is essential to consider other critical factors such as claim settlement ratios, customer service experience and policy benefits before opting for a switch. The insurer must quickly implement robust measures of data protection and maintain transparent communication to restore customer confidence and remain a viable option for current policyholders,” said Anand.

“However, if the insurer’s response is perceived as inadequate, policyholders may explore other insurance providers known for better claims handling and strict data security protocols.”

Meanwhile, the Insurance Regulatory and Development Authority of India is silent on the issue.

“Irdai must step in to enforce strict data protection standards and mandatory disclosure of breaches under the DPDP (Digital Personal Data Protection) Act,” Anand said. “Swift regulatory action is needed to hold companies accountable, protect policyholders’ interests and restore confidence in the insurance industry’s commitment to safeguarding sensitive information.”