Breach Notification , Geo Focus: Asia , Geo-Specific

Star Health Breach: Does Reputation Trump Patient Privacy?

Cybercrime Expert Ritesh Bhatia on Culture of Silence Over Major Incidents
Ritesh Bhatia, cybercrime investigator and founder, V4WEB Cybersecurity

Star Health & Allied Insurance Co. this summer suffered a major data breach incident after a hacker, using the moniker xenZen, made the data of millions of the insurance company's customers publicly accessible via chatbots on Telegram.

See Also: Improving Security and Productivity Across the Identity Ecosystem

The data breach, reported Sept. 20 by Reuters, compromised the personally identifiable and sensitive healthcare information of about 31 million customers in India. The compromised information included customers' health claims data, tax records, addresses, phone numbers, identification documents, and details of their medical condition and diagnoses.

The health insurance giant first mentioned the hacking incident during a brief stock exchange filing on Aug. 14. It stated an unidentified person claimed to have unauthorized access to a "few claims data."

The company sent an email to customers on Sept. 20 to warn them that certain unauthorized entities may fraudulently present themselves as company officials on phone calls and urge them to discontinue their existing insurance policies. "These fraudulent acts not only pose a risk to your personal information but also potentially jeopardize the long-term benefit of your policy," it said.

The company did not reveal in these communications the extent of the hack, the types of data records exposed, its response to the incident or whether it plans to strengthen its cybersecurity practices to prevent similar incidents from occurring in the future.

The company did reveal in a brief newspaper advertisement on Sept. 20 that it had sued the hacker, Telegram, and U.S. software company Cloudflare over the data security incident. It alleged in its lawsuit that Cloudflare hosted the hacker-owned domains that purportedly contained customers' personal and healthcare information. Cloudflare later denied hosting the hacker-run websites in a statement shared with Reuters.

Star Health's handling of the data security incident has put a spotlight on organizations' seriousness in handling highly sensitive customer information. It also questions whether decision-makers prioritize business reputation over customers' legitimate data security and privacy concerns.

"Coming to the response of the corporate, again, it's zero on 10. This is pathetic. I mean, and this is applicable to all these corporates over here: the blame game begins, nobody wants to take ownership," said Ritesh Bhatia, Mumbai-based cybercrime investigator and founder of V4WEB Cybersecurity.

"We would always feel whenever it comes to incident response, it is the CTO, CIO or the CISO who have to be going crazy about it. But no, when such breaches happen, it is not about the money or the data, it is more about reputation," he said.

In this video interview with Information Security Media Group, Bhatia discussed:

  • The need for transparent corporate communications in the wake of a hacking incident;
  • Best practices for responding to high-profile data breaches;
  • The need for better government oversight of breach disclosure.

Bhatia has 20 years of experience as a cybercrime investigator and cybersecurity and data privacy consultant. He is a TEDx speaker and certified fraud examiner with the Association of Certified Fraud Examiners, USA, and has solved cases for organizations and law enforcement agencies worldwide.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.in, you agree to our use of cookies.