Healthcare attacks spread beyond US – just ask India's Star Health

Acknowledges bulk customer data leak weeks after Telegram channels dangled it online

by · The Register

Leading Indian health insurance provider Star Health has admitted to being the victim of a cyber attack after criminals claimed they had posted records of 30-milion-plus clients online.

When news of a potential break appeared in September, the firm asserted that initial assessments showed "no widespread compromises" and that "sensitive customer data remains secure."

At the time, a hacker who goes by "xenZen" was allegedly using two Telegram chatbots to leak the data. One chatbot offered PDFs of claim documents, another allowed users to request up to 20 samples of over 31 million records containing sensitive information like body mass index. The perp also claimed to have the images of Star Health customers' national identity card.

Star Health this week told The Register that it acknowledges "unauthorized and illegal access to certain data" but added "operations remain unaffected."

"A thorough and rigorous forensic investigation, led by independent cyber security experts, is underway, and we are working closely with government and regulatory authorities at every stage of this investigation, including by duly reporting the incident to the insurance and cyber security regulatory authorities apart from filing a criminal complaint," explained the care provider.

Star Health has also approached the Madras High Court, which ordered all relevant parties to disable any access to the information.

Star Health said its CISO was cooperating with the investigation and had not been found guilty of any wrongdoing, adding "We request that his privacy be respected as we know that the threat actor is trying to create panic."

xenZen has claimed that they obtained the records directly from Star Health's CISO.

"Star Health management CISO [name redacted] (as mc6) sold all this data to me and then attempted to change deal terms saying senior management of company needs more money for backdoor access," posted xenZen, along with screenshots of the alleged conversations.

Once operating on Telegram, the threat actor has since shifted toward self-hosting. The Reg has viewed, but chosen not to link to, the hacker's website where the stolen data now sells for $150k and chunks of 100k entries can be had for $10k.

Star Health has filed suit against Telegram, Cloudflare and xenZen (which is listed as having an unknown address) among others, for their roles in enabling the leak. Court documents dated September 24 show the insurer seeking a permanent injunction to prevent the defendants from publishing or sharing the stolen data and using its trade names, logo, and website domain. The court granted an interim injunction on the same day.

The suit also included requests for the removal of Telegram bots and websites involved in the leak, and for the disclosure of user information tied to the breaches.

Healthcare organizations and hospitals have recently been the target of ransomware and other cyber threats. This month, an Alabama hospital informed 61,000 patients their personal data was accessed one year prior. And at the end of September, The University Medical Center in Lubbock, Texas, was forced to severely limit operations following a hit by ransomware operators. And last week, cybergang Trinity allegedly infected Rocky Mountain Gastroenterology – a Colorado-based clinic, with ransomware. ®