The rapid shift to remote work and telehealth services introduced new vulnerabilities that cybercriminals quickly exploited. Many healthcare organisations, focused on patient care, de-prioritised security measures, leaving their systems more exposed.
Published Sep 28, 2024 | 7:00 AM ⚊ Updated Sep 28, 2024 | 11:20 AM
Star Health has acknowledged the breach and is working with law enforcement agencies to resolve the crisis.
A significant data breach at Star Health and Allied Insurance, one of India’s largest health insurers, compromised the personal and medical information of over 3.1 crore customers. The breach extended beyond basic identification data and included sensitive medical records.
For example, the medical records of a year-old girl treated in Kerala, including her diagnosis, blood test results, medical history, and a hospital bill of nearly ₹15,000, were accessed. Similarly, a 2023 claim filed by a policyholder, Pankaj Subhash Malhotra, revealed details of his illness, ultrasound imaging tests, and copies of his tax account and national ID cards.
The breach, first reported by Reuters on 20 September 2024, has made stolen data accessible to anyone through chatbots on the messaging app, Telegram. Users can request and download various documents at no cost.
The hacker, operating under the alias “xenZen,” claimed to possess approximately 7.24 terabytes of data of Star Health customers.
The leaked information included:
– Names
– Addresses
– Phone numbers
– Tax details
– Medical diagnoses
– Policy details
– Copies of ID cards
– Medical reports and test results
– Claims information
Some documents accessible on Telegram are as recent as July 2024. The hacker’s chatbots allowed users to access and distribute sensitive data.
Responding to the breach, Star Health filed a lawsuit against Telegram and the hacker, accusing them of facilitating the illegal dissemination of private information. A Tamil Nadu court has issued a temporary injunction, directing Telegram to block any chatbots or websites within India that shared this data.
Star Health acknowledged the breach and was working with law enforcement agencies to resolve the crisis. The company’s initial assessment, however, claimed that there has been “no widespread compromise” of customer data, and it reiterated its commitment to maintaining customer privacy.
Despite Telegram’s efforts to shut down the chatbots, new ones continued to pop up shortly after the previous ones were taken down.
In May, Kaveri shared her alarming experience with a voice-cloning scam on social media. She received a call from someone posing as a police officer, claiming her daughter had been arrested on serious charges, including blackmail.
The scammer used AI technology to clone her daughter’s voice, playing a recording that sounded exactly like her, pleading for help.
Panicked, Kaveri was pressured into providing financial aid for her daughter’s release. However, she quickly realised the scam and demanded to speak directly with her daughter. When the scammer became aggressive, Kaveri kept her composure and jokingly said, “Take her away,” prompting the caller to abruptly end the conversation.
⚠️Scam Alert⚠️
I got a call about an hour ago from an unknown number. I unusually do not respond to unknown numbers but I don’t know what made me answer this call.
On the other end was a guy who said he was a cop and asked me if I knew where my daughter K was. He said K gave…— Kaveri 🇮🇳 (@ikaveri) March 11, 2024
In an era of increasingly sophisticated scams, “criminals can impersonate individuals, apply for loans or credit cards, and commit other fraudulent acts—stolen medical information allows criminals to file fraudulent insurance claims or steal benefits intended for actual policyholders. Fraudsters may also use leaked medical records to obtain prescription drugs illegally,” said cyber security expert Kiran Vangala.
Additionally, medical diagnoses and reports could be exploited to access healthcare services fraudulently, with the bills sent to the victim.
The healthcare industry has been identified as the most targeted sector for data breaches, with over 41.2 million healthcare records exposed in 2019 alone across 505 incidents. From 2005 to 2019, approximately 249.09 million individuals were affected by healthcare data breaches, with 157.40 million affected in the past five years.
“Medical reports and test results are highly valuable to those involved in black market organ sales, fraudulent medical treatments, or counterfeit drug schemes,” explained Vangala.
“With access to personal details such as phone numbers, emails, and medical histories, attackers can craft convincing phishing messages, tricking victims into sharing more information or making payments. Criminals can impersonate insurance agents, healthcare providers, or government officials to further deceive individuals,” he added.
He said leaked health and personal data is often sold on the dark web, where cybercriminals, data brokers, or other entities use it for various illicit activities.
Once available, this data could be accessed for future attacks, such as by employing ransomware or sophisticated identity theft schemes. Additionally, insurance companies, marketers, or third-party actors may exploit this detailed personal information to create invasive profiles of individuals, covering their medical history, financial status, and lifestyle habits.
Employers or organisations could use such data to discriminate against individuals based on health conditions, leading to employment or insurance denials.
A study suggested that a majority of data breaches (approximately 73.1%) resulted from human error, such as carelessness or falling for phishing attacks.
The aftermath of a breach often forces organisations to shift focus from patient care to breach management, disrupting its primary operations. It could lead to postponed appointments, delayed procedures, and ultimately harm the patient’s health outcomes.
The Covid-19 pandemic significantly escalated healthcare data theft, with a surge in cyberattacks.
The rapid shift to remote work and telehealth services introduced new vulnerabilities that cybercriminals quickly exploited. Many healthcare organisations, focused on patient care, de-prioritised security measures, leaving their systems more exposed.
Common methods of attack during the pandemic included phishing, ransomware, Distributed Denial-of-Service (DDoS), and malware. Between 2020 and 2021, healthcare experienced 3,908 data breaches, accounting for 87.65% of all breaches.
In 2023, the health sector saw a record 725 data breaches, compromising over 133 million records. Hacking incidents alone increased by 239% since 2018, accounting for nearly 80% of breaches in 2023.
The Kerala hospital cybersecurity case involved a major ransomware attack on the Regional Cancer Centre (RCC) in Thiruvananthapuram on 28 April 2024.
Russian cybercriminals allegedly targeted the hospital, demanding a $100 million ransom after breaching its firewall using brute-force methods. The attack disrupted key services, including radiation therapy, and compromised the data of approximately 20 lakh patients.
Despite the breach, the hospital’s backup systems ensured continued patient care.
An investigation revealed serious weaknesses in RCC’s network security, particularly in firewall management.
The AIIMS data theft case involved a major ransomware attack on 23 November 2022, disrupting hospital operations and raising concerns about healthcare cybersecurity in India.
Hackers, reportedly from China, infiltrated and encrypted data on five of AIIMS’s 100 servers, forcing the hospital to revert to manual operations, severely impacting patient care.
The breach compromised the personal data of three to four crore patients, including high-profile figures, with a ₹200 crore ransom demanded in cryptocurrency.
Investigations revealed significant lapses in AIIMS’s cybersecurity infrastructure, prompting discussions in Parliament on strengthening data protection laws for sensitive health information.
(Edited by Majnu Babu).
