Zettawise Cyber Range focusses on assessing the vulnerabilities involved in the process safety, system reliability and physical reliability of the Operating Technology of the Critical Infrastructures.
Member of :

Zettawise Consulting is a part of the joint workforce of SASTRA (RRU, Ministry of Home Affairs, Govt of India) under the aegis of “AtmaNirbhar and AtmaSurakshit Bharat Mission” of Govt of India.
Get Consultation

Star Health Faces ₹250 Crore Fine After Data Breach, Raising Concerns Over New DPDP Act

20 May 2025 By , , ,

Star Health and Allied Insurance, a major player in India’s health insurance sector, is reeling from a major data breach affecting over 30 million individuals. As investigations escalate, cracks within leadership are surfacing, and regulators are closing in. 

Trust Shattered: Inside the Breakdown 

Star Health and Allied Insurance Co. Ltd., one of India’s biggest health insurers, was thrust into a major cybersecurity crisis in August 2024. An initial report of a small security issue spiraled into chaos when, on August 13, a mysterious figure claimed access to sensitive customer data. The company issued a statement the next day, insisting the breach was contained. In the following months, however, that reassurance crumbled. 

With support from the Madras High Court and India’s I4C unit, cybercrime investigators in October 2024 shut down Telegram bots that were making health data searchable in real time. Operated by a hacker using the alias “xenZen,” the bots revealed everything from Aadhaar numbers and policy details to sensitive medical images—turning privacy into a digital casualty. 

Things took a darker turn when “xenZen” declared they held 7.24 TB of sensitive data and were selling it for $150,000. Even more alarming were reports that Star Health leaders received bullets and death threats, allegedly tied to the hacker’s personal grievances over denied claims. 

Leadership Exodus: Top Brass and Staff Head for the Exits 

Insiders report a leadership shake-up in the wake of the breach, with at least four senior executives—spanning risk, finance, compliance, and cybersecurity—set to resign. Their departure would gut the company’s ability to manage fallout from the incident at a time when their expertise is most critical. 

Regulatory Uncertainty and Open Questions 

Star Health faces potential financial and legal fallout beyond reputational harm. The 2023 Digital Personal Data Protection Act in India, still in early stages, allows for penalties up to ₹250 crore, with health data marked as high-risk and subject to tighter protections. 

Under the IT Directions 2022, companies must report data breaches to CERT-In within six hours, or risk facing fines up to ₹17.6 crore for each violation. 

Legal experts caution that although the DPDP Act is in place, the lack of finalized enforcement rules causes uncertainty, particularly regarding whether it applies retroactively. 

 

Recent Articles

20 May 2025
Star Health Faces ₹250 Crore Fine After Data Breach, Raising Concerns Over New DPDP Act
13 May 2025
Amid Rising Tensions with Pakistan, India's IT Ministry Issues Advisory for Internet Users
09 May 2025
‘LOSTKEYS’ Revealed: Google Identifies Advanced Cold River Surveillance Tool