Star Health data leak: What recourse do policyholders have?

Just as Star Health policyholders were grappling with the company's growing reputation for rejecting genuine claims, a new issue has surfaced, adding to their frustration.

The company suffered a severe hacking episode last month in which a hacker using the alias “xenZen” created a website and Telegram chatbots to leak its policyholders' sensitive personal data from names, phone numbers, email IDs, addresses to financial and health information. 

The hacker said Star Health's chief information security officer Amarjeet Khanuja sold the data to him and he made it public only when Khanuja reportedly sought more money than previously decided.

Star Health said Khanuja has been co-operating in the investigation and no wrongdoing by him had been found so far. 

About 7.24 terabytes of data affecting 31 million customers has been compromised.

"A thorough and rigorous forensic investigation, led by independent cybersecurity experts is underway, and we are working closely with government and regulatory authorities at every stage of this investigation, including by duly reporting the incident to the insurance and cybersecurity regulatory authorities apart from filing a criminal complaint," Star Health said in a media statement.

Also Read: Star Health data breach: Scope for mammoth scams amid few legal remedies?

CloudSEK, a Bengaluru-based data security firm, said the involvement of the CISO and other executives seems fabricated. According to CloudSEK, the threat actor shared two simultaneous chats—on the left, a TOX messaging platform known for anonymity, and on the right, emails allegedly from official Star Health accounts.

However, CloudSEK pointed out that this could easily be faked using a simple 'inspect element' trick to alter HTML, making the emails seem like they came from legitimate sources.

"Based on the available information, we can ascertain with high confidence that the threat actor has data that originates from Star Health Insurance. However, the involvement of the CISO and other executives seems highly unlikely and fabricated, to say the least," it added.

However, the very fact that the data breach has happened raises questions on Star Health's data security protocols.

What should policyholders do?

Star Health has assured its customers and partners that it has implemented robust security measures. The company has also sought legal action, with the Madras High Court ordering third parties to restrict access to the leaked information.

"We want to emphasize that any unauthorised acquisition, possession, or dissemination of customer data is illegal. We urge all platforms, hosting companies, social media channels and users to take swift and decisive action to halt such activities and comply with the orders of the High Court," the company said.

As for the leaked information, there's little a policyholder can do. Experts advise them to be vigilant about every call and message they receive to avoid further trouble. Beware of spam calls, unauthorized transactions or suspicious account logins.

"Policyholders should immediately change passwords across all key accounts, particularly banking, e-commerce, and health applications, to mitigate the risk of further unauthorized access. Opting for stronger password in addition, enabling two-factor authentication wherever possible will provide an extra layer of protection," said Neha Anand, vice president and head of cyber at Prudent Insurance Brokers.

Policyholders can also take proactive steps to protect their financial accounts by placing credit freezes or fraud alerts, she added.

Can policyholders take legal action?

While legal recourse is an option, proving damages stemming directly from a data breach can be complex, said Anand.

“If policyholders notice any misuse of their data linked to the breach, they should not hesitate to escalate the issue to regulatory authorities. Staying vigilant, informed, and proactive is the best way to safeguard one’s interests in such scenarios.”

Also read: Star Health Insurance under cyberattack, says operations unaffected even after data leak

Is it time to switch your policy to a different insurer?

Many policyholders are pondering over it. The recent data breach has only added to their concerns. Frequent claims rejections stories circulating on the social media are worrisome too.

Reasons for claim rejections range from unnecessary hospitalisations to discrepancies in documentation. In fact, some hospitals in Ahmedabad have reportedly blacklisted Star Health due to the cumbersome claims settlement process, said Aditya Shah, a health insurance expert and a CFA chartholder.

For current Star policyholders, porting to another insurer should be carefully considered. Shah advises that younger policyholders or those with less strict terms and conditions might consider porting. However, for older individuals or those with pre-existing conditions, the underwriting process can be tricky. Shah emphasizes that if Star Health wants to retain its customers, it must seriously re-evaluate and improve its claims settlement experience.

Also read: Health Insurance: Top-up vs. super top-up—Which one is right for you?

One needs to be mindful that there is no guarantee that a new insurer won’t present its own set of challenges. 

“It’s essential to consider other critical factors such as claim settlement ratios, customer service experience, and policy benefits before opting for a change. The insurer must swiftly implement robust data protection measures and maintain transparent communication to restore customer confidence and remain a viable option for current policyholders,” said Anand.

“However, if the insurer’s response is perceived as inadequate, policyholders can explore other insurance providers which are known for better claim handling and stringent data security protocols.”

Insurance Regulatory and Development Authority of India, meanwhile, remains silent on the issue. 

“Irdai must step in to enforce stringent data protection standards and mandatory disclosure of breaches as per DPDP (Digital Personal Data Protection) Act,” said Anand. “Swift regulatory action is needed to hold companies accountable, protect policyholders’ interests, and restore trust in the insurance sector’s commitment to safeguarding sensitive information.”