Data is the backbone of digital health systems, and when that data is compromised, the fallout can have far-reaching consequences. The recent breach at Star Health Insurance, one of India’s largest health insurers, is a stark reminder of the fragile trust consumers place in digital systems. This incident involved the exposure of personal and medical data of over 31 million customers, leading to a ransomware demand of $68,000.
As India moves toward a fully digital healthcare ecosystem under initiatives like the Ayushman Bharat Digital Mission, breaches like this have the potential to derail progress by shaking the very foundation on which digital health services rely: trust.
How the Star Health Insurance data breach happened: What we know so far
In October 2024, a hacker claimed to have accessed and put up for sale the personal data of 3.1 crore ($31 million) Star Health Insurance customers. The compromised data included highly sensitive information such as names, addresses, PAN numbers, contact numbers, confidential health records, and policy details. Several news outlets reported that Star Health Insurance’s chief information security officer (CISO) had leaked confidential customer data to a hacker. This accusation came from a cybercriminal known as “xenZen,” who posted a screenshot allegedly showing the CISO sharing credentials via email—offered as proof of an insider conspiracy.
While the breach itself did take place, no evidence has been found that proves the CISO intentionally leaked the data. Further investigation revealed that xenZen had in fact falsified the evidence to implicate the CISO, manipulating the media’s interest in scandal and crafting a false narrative of insider misconduct. Interestingly, XenZen was also involved in the Airtel data breach in July 2024. Just a month earlier, the same hacker allegedly exposed the Ministry of External Affairs’ database for blue-collar workers on Breach Forum, a platform for trading stolen or leaked information.
Cybersecurity firm CloudSEK’s investigation revealed that the attackers exploited insecure API endpoints, which allowed unauthorized access to the company’s customer database. APIs are increasingly used by insurers and healthcare providers to facilitate communication between different systems, and when these APIs are not secured, they become easy targets for hackers.
This breach raises critical questions about the preparedness of healthcare and insurance companies to handle the growing threat of cyberattacks. Despite the increasing sophistication of cybercriminals, many organizations in this sector are still playing catch-up when it comes to adopting modern cybersecurity practices. In Star Health Insurance’s case, the breach exposed serious gaps in security protocols, including a lack of encryption for sensitive data and weak monitoring systems that allowed the hacker to remain undetected for an extended period.
Global comparisons
The Star Health Insurance breach is not an isolated incident; similar attacks around the world have shown the devastating impact cyberattacks can have on digital healthcare. In 2022, Medibank, one of Australia’s largest health insurers, experienced a major data breach affecting 9.7 million customers. The exposed data included sensitive medical information, such as details about treatments for drug addiction, mental health, and chronic conditions. Medibank refused to pay the ransom demanded by the hackers, resulting in the data being released online. The breach led to widespread public outrage and caused severe reputational damage to the insurer, which faced lawsuits and government scrutiny for failing to protect customer data.
Similarly, in 2017, the UK’s NHS was paralyzed by the infamous WannaCry ransomware attack, which exploited vulnerabilities in outdated Windows software. The attack disrupted services across the country, forcing hospitals to cancel appointments and delay surgeries. While not a targeted breach of patient data, the attack revealed the significant vulnerabilities in digital health systems and the high stakes of cybersecurity in healthcare.
Learning from the incident: What can other organizations do?
The Star Health Insurance breach should be a wake-up call for all organizations operating in the healthcare and health insurance industries, not just in India but globally. As more data is stored and shared digitally, the risk of cyberattacks grows exponentially. Here are some lessons that can be drawn from this incident:
-
Secure APIs and digital infrastructure
As seen in the Star Health Insurance breach, insecure APIs can be a major vulnerability. Organizations need to ensure that APIs are properly secured with authentication, encryption, and real-time monitoring. Regular security audits should be conducted to identify and patch potential vulnerabilities before they can be exploited. -
Implement strong encryption
A lack of data encryption policies allows attackers to access sensitive customer information easily. Encryption is a basic yet critical layer of security that ensures even if data is stolen, it remains unreadable. Companies must implement end-to-end encryption for all sensitive data, both at rest and in transit. -
Invest in real-time threat detection
The Star Health Insurance breach went undetected until the hacker asked for the ransom and publicized the data for sale. Advanced threat detection systems using AI and machine learning can help identify suspicious activity early and prevent breaches from escalating. Monitoring network traffic, unusual data requests, and access patterns in real time is crucial to stop attackers before they cause significant damage. -
Implement PAM policies
Privileged accounts, often used by administrators and senior leaders, have elevated access to critical systems and sensitive data, making them prime targets for hackers. Organizations should enforce strict privileged access management (PAM) protocols to control and monitor these accounts. This includes limiting the number of privileged users, enforcing multi-factor authentication, and regularly auditing access logs to detect any unauthorized use. -
Develop a proactive incident response plan
A clear, well-documented incident response plan is essential for handling breaches efficiently. Organizations should be prepared to respond swiftly and transparently in the event of a cyberattack. Regular drills and simulations can help teams respond better under pressure.
India’s digital health future at stake
Data breaches like these highlight the fragile state of trust in India’s digital health ecosystem. As India strives to digitize its healthcare system, the security and privacy of personal health data have become paramount. Breaches like these not only compromise sensitive information but also pose significant risks to India’s broader ambitions of creating a unified, digitally-driven healthcare system. Rebuilding trust is not merely a matter of containing the fallout; it requires a systemic overhaul of how data is protected and managed across the sector.
This serves as a strong reminder of why the impending Digital Personal Data Protection Act (DPDPA) is more important than ever. Once enacted, the DPDPA will hold organizations accountable for not only securing sensitive information but also providing transparent disclosures in the event of data breaches. For India’s healthcare sector, this could be a turning point. While many companies suffer from poor cybersecurity practices, the introduction of stronger data protection laws will push organizations to prioritize data security, from encrypting sensitive information to adopting privacy by design principles. This means that data security will be embedded into the development of digital health platforms and infrastructure from the outset, not as an afterthought.
The role of the DPDPA extends beyond individual organizations; it is foundational to restoring public trust in India’s digital health ecosystem. As India’s digital health initiatives advance, people need to feel confident that their data is safe and that those responsible for it will face repercussions for negligence. Without this trust, initiatives like the digitization efforts in the healthcare sector could face resistance from the very people they are meant to benefit.
