Legal services firm asks govt to probe Star Health data breach

New Delhi, Oct 14 (IANS) Software Freedom Law Centre India (SFLCI), a Delhi-based legal services organisation, on Monday wrote to the national cyber agency Indian Computer Emergency Response Team (CERT-In) to initiate a probe into the data breach by Star Health and Allied Insurance, one of the largest health insurers in the country, and also to prevent such data leaks in the future.

Highly sensitive personal information including names, phone numbers, residences, tax information, ID copies, test results, and diagnoses of Star Health customers was reportedly available on Telegram. A hacker put the entire 7.24 TB data, allegedly belonging to its over 3.1 crore customers, for open sale on a website for $150,000. Star has also received a ransom demand of $68,000.

“It is highly problematic that sensitive medical information has been leaked, as it exposes customers to potential frauds by bad actors in the health sector such as predatory insurance agencies and laboratories,” the SFLCI said.

“Medical information is confidential and must be afforded higher protection and held to a higher standard of accountability. A data breach of medical information must be addressed with urgency, as there is a high potential for misuse of medical data,” added the firm in the letter to CERT-In, under the Ministry of Electronics and Information Technology.

The SFLCI mentioned that the consequences of the data breach can be severe, and can range “from identity theft and impersonation to emotional distress with long-term fears of misuse of their personal information”.

The organisation said that in light of several recent large-scale data breaches, including Aadhaar and CoWIN, in the country “we urge CERT-in to investigate such data breaches immediately”.

In October 2023, the Aadhaar data of around 81 crore citizens was allegedly leaked, and in July 2023, the alleged CoWIN data breach also resulted in the exposure of sensitive personal information.

Further, the firm called for notifying rules under the Digital Personal Data Protection Act, 2023.

Until this is done India will not have an effective “data protection regime to address such harms”, the organisation said.

It further informed that Section 70B of the Information Technology Act empowers CERT-in to conduct security audits and respond to data breaches. Rule 8 of the CERT-in Rules requires CERT-in to respond to cyber security incidents. Rule 9 requires an analysis of such incidents.