Star Health's Communications Criticised for Focusing on Data Leak Distribution Instead of Addressing Vulnerabilities

Telegram, a messaging app, has accused Star Health of diverting attention from a significant data leak involving over 3.1 crore insurance customers. Instead of addressing potential system vulnerabilities, Telegram claims Star Health is focusing on the distribution of leaked data. The messaging platform has also raised concerns about the lack of transparency in identifying the breach's cause.

A UK-based cybersecurity expert, Jason Parker, discovered in September that personal details, including mobile numbers and medical conditions of Star Health customers, were allegedly sold by a senior company official. In response, Star Health has taken legal action against Telegram and other platforms involved in the data leak. However, Telegram asserts it has been transparent, removing bots and cooperating with authorities.

Star Health's Response

Star Health did not comment on Telegram's allegations but stated in an October 28 regulatory filing that it hired an independent cybersecurity firm to investigate claims against its Chief Information Security Officer (CISO). The investigation concluded that the alleged communication between the Threat Actor and the CISO was fabricated, and no wrongdoing by the CISO was found.

Telegram argues that blaming intermediaries like itself is misguided. The app claims its proactive measures highlight a different narrative than Star Health's public statements. Telegram questions why there is less focus on how the sensitive data was initially compromised.

Corporate Responsibility and Data Protection

The incident at Star Health raises important questions about corporate responsibility in safeguarding data. The insurance sector handles sensitive personal and financial information, necessitating a comprehensive review of data protection practices. With digital transformation underway, ensuring customer data security is crucial.

Telegram believes the focus should shift from assigning blame to finding collaborative solutions for protecting customer data. The messaging app emphasises that industry-wide improvements are needed to prevent similar breaches in the future.

Previous Incidents and Legal Actions

In December 2022, Star Health reported a cyber fraud incident involving unauthorised access to its mobile application. On March 23, 2023, the company informed BSE about this issue. In April 2023, cybersecurity researcher Himanshu Pathak filed a writ petition in the Madras High Court against Star Health for exposing sensitive customer data.

Pathak's petition included documents revealing vulnerabilities reported to Star Health in December 2022 by CyberX9. These vulnerabilities exposed all customer data and were also reported to CERT-In. The case remains under judicial consideration.

The ongoing situation highlights the need for enhanced cybersecurity measures across industries handling sensitive information. Ensuring robust protection mechanisms can help prevent future breaches and maintain customer trust in digital platforms.