ABSTRACT
Star Health and Allied Insurance Co. Ltd. is an Indian multinational health insurance company headquartered in Chennai, India. The company provides services in health, personal accident, and overseas travel insurance, directly as well as through various channels like agents, brokers and online. Star Health is also prominently into bancassurance having long standing relationship with various banks. The company faced a data leak of over 31 million customers with allegations of its senior official selling the data in September 2024. On August 13, 2024, the Star Health Insurer informed BSE that it is in receipt of e-mails from an unidentified person claiming to have unauthorized access to their data.
However, it was discovered that the breach was ongoing and had been occurring since at-least August 6, 2024, as reported by security experts. Subsequently the breach was publicly disclosed and reported by various news sources on September 20, 2024, with estimates suggesting that sensitive information from over 31 million customers was compromised. The leaked data includes highly sensitive personal and financial information, posing a significant risk of identity theft, fraud, and unauthorized financial transactions of the policyholders making it vulnerable to phishing attacks, financial fraud and other attacks. Two telegram chatbots distributed Star Health data. One offered claim documents in PDF format. The other allowed users to request up to 20 samples from 31.2 million datasets with a single click giving details including policy number, name and even body mass index. In testing the bots, Reuters downloaded more than 1,500 files with some documents dated as recently as July 2024, which included policy and claims documents featuring names, phone numbers, addresses, tax cards, copies of ID cards, test results, medical diagnoses and blood reports. Star Health filed a police complaint and reported the issue to Tamil Nadu’s cybercrime department and federal cyber security agency CERT-In. Star has also sued Telegram and the self-styled hacker xenZen and questioned US software firm Cloudflare who has denied any role in hosting two websites run by a hacker offering for sale stolen personal data and medical records of customers. The websites and Telegram bots were inaccessible on Sunday. The company has received a temporary injunction from a court in its southern home state of Tamil Nadu ordering Telegram and the hacker to block any chatbots or websites in India that make the data available online.
TACTICS, TECHNIQUE AND PROCEDURE (TTP)
The exact method employed by the hacker remains uncertain, but there are speculations that they may have compromised a senior company official to gain access to the data. It is believed that the hacker built chatbots that allowed users to easily access private policy documents, while others suggest that the data breach may have been facilitated through third-party vendors.
EXPERT’S ADVICE
Healthcare organizations need to make sure on following,
- Periodically Update and Patch Systems with adequate secure configuration policies
- Implement Role-Based Access Control (RBAC) Strategies and Multi-Factor Authentication (MFA)
- Strengthen Employee Training and Awareness against securely handling data systems while being protected against phishing scams etc.
- Prioritize Patient Data Protection
- Perform Third-party Vendor Risk Management
- Set up a strong tested Incident Response and Recovery Plan
- Ensure All Compliance Requirements Are Met e.g. HIPPA
- Implement Real-time Monitoring and Threat Detection with an inhouse or third-party SOC
- Assess the critical Regulatory Compliance after Attack, Breach, and Strengthen it
- Perform Security Assessments from a third-party vendor to uncover any potential Mis-configurations, Loopholes and Vulnerabilities in the existing Systems including Applications and underlined Network
REFERENCES
- https://www.cert-in.org.in/
- https://en.wikipedia.org/wiki/Star_Health_and_Allied_Insurance
- https://www.hhs.gov/hipaa/index.html
GLOSSARY
- Cybercrime – Malicious cyber activity threatens the public’s safety and our national and economic security
- Tactics, Techniques and Procedures (TTP) – Describes the behavior of a threat actor and a structured
framework for executing a cyberattack - Phishing – A type of online scam that targets consumers by sending them an e-mail that appears to be from a well-known source
- HIPPA – The Health Insurance Portability and Accountability Act
