Last month, sensitive health data of over 3.1 crore Star Health customers was publicly accessible via telegram chatbot.
This massive data breach at India’s largest health insurer raised serious data privacy and security concerns in the Indian Healthcare sector.
Here’s everything you need to know about it!
What actually happened?
New agency Reuters reported that a self-styled hacker, xenZen, stole 3.1 crore Star Health customers’ data and leaked it with two Telegram chatbots.
One chatbot offered claims data in PDF format, and the other allowed users to request up to 20 samples from 31.2 million datasets. This data included patient names, phone numbers, addresses, insurance policy details, insurance claims, medical records, and other sensitive details.
Reuters downloaded 1500+ files from these chatbots while testing the genuineness of the data leak news.
Star Health leaked data was available for free via chatbot on a piecemeal basis and for sale in bulk.
Implications of Star Health Data Leak
Star Health’s customer data leak case raises serious privacy and security concerns. Sensitive health data and personally identifiable information (PII) can be misused putting laymen at risk. It may lead to identity fraud, false claims and phishing attacks.
Star Health is one of the biggest players in Indian healthcare. Customers’ data leak from Star Health raises concerns on the ability of the smaller healthcare businesses to protect health data adequately. It is a wake-up call about India’s vulnerable digital healthcare systems.
This shows the vulnerability of India’s digital healthcare systems and the immediate need to enforce improved cyber security measures.
How can this sensitive information be exploited?
Hackers and cybercriminals can exploit the leaked data and cause major issues like:
Insurance fraud
They may file false insurance claims using the patient’s stolen information and get unauthorised medical care, leading to unexplained expenses and medical history for the patient.
Financial exploitation
Using the data, they might target the patient and extort money via financial fraud and phishing scams. For instance, they’ll pretend to be a healthcare professional and gather more sensitive information for further scams.
Identity theft
Criminals can use the sensitive data to blackmail patients, take loans, open accounts to conduct fraudulent activities, commit credit card frauds, buy fake insurance and whatnot. It may lead to legal and financial damages to policyholders.
How is Star Health dealing with it?
Star Health admitted to the data breach and unauthorised data access by local authorities. Initially, they mentioned there’s “no widespread compromise” and “sensitive customer data are secure.” They cited that they’ll address this criminal activity with law enforcement.
Further, the company sent emails to customers (policyholders and patients) about possible fraudulent activities. They warned that criminals may pretend to be Star Health officials and ask them to cancel their policy.
They assured everyone that they put great importance on data privacy, follow IRDAI cyber security systems and controls, and will share updates soon.
Star Health also sued Telegram, the hacker, and Cloudflare Inc. (a US-based firm that hosted the leaked data). The insurance company received a temporary court order in Tamil Nadu that instructed Telegram to block all websites and chatbots in India that offer those data online.
What can be done to avoid it in the future?
Health insurance companies can prevent future data leaks by:
Improved encryption protocols
Health insurance providers must encrypt sensitive patient information. This way, despite a data breach, hackers can’t use data without decryption keys.
Cybersecurity audits
Regular, thorough, and frequent audits of cybersecurity systems will help insurance companies identify system vulnerabilities and resolve them early on.
Cybersecurity employee training
Most data breaches are a result of human errors. Educating and training employees on cyber security measures and their significance is necessary.
Employees must know how to identify phishing scams, follow data protection rules, and manage sensitive data.
Two-factor Authentication (2FA)
Companies must implement 2FA to access sensitive data. So, if a patient’s login credentials are stolen, 2FA prevents unauthorised access.
Data theft rise and importance of cybersecurity practices in healthcare
Data theft in the healthcare industry is rising worldwide. In the US alone, healthcare data record breaches increased from 5.3 million to 51.4 million between 2017 and 2022.
Further, reports show that the Indian healthcare sector experiences 6,953 attacks every week. As of 2022, 2,78,000 cyberattacks targeted Indian healthcare organisations.
With the digitisation of healthcare services and the vast online data storage, such malicious acts are bound to increase.
Inadequate cybersecurity practices can cause financial losses, diminish trust in digital healthcare systems, and even collapse the overall industry.
