Legal services firm asks govt to probe Star Health data breach


New Delhi, Oct 14 (IANS): Software Freedom Law Centre India (SFLCI), a Delhi-based legal services organisation, on Monday wrote to the national cyber agency Indian Computer Emergency Response Team (CERT-In) to initiate a probe into the data breach by Star Health and Allied Insurance, one of the largest health insurers in the country, and also to prevent such data leaks in the future.

Highly sensitive personal information including names, phone numbers, residences, tax information, ID copies, test results, and diagnoses of Star Health customers was reportedly available on Telegram. A hacker put the entire 7.24 TB data, allegedly belonging to its over 3.1 crore customers, for open sale on a website for $150,000. Star has also received a ransom demand of $68,000.

“It is highly problematic that sensitive medical information has been leaked, as it exposes customers to potential frauds by bad actors in the health sector such as predatory insurance agencies and laboratories,” the SFLCI said.

“Medical information is confidential and must be afforded higher protection and held to a higher standard of accountability. A data breach of medical information must be addressed with urgency, as there is a high potential for misuse of medical data,” added the firm in the letter to CERT-In, under the Ministry of Electronics and Information Technology.

The SFLCI mentioned that the consequences of the data breach can be severe, and can range “from identity theft and impersonation to emotional distress with long-term fears of misuse of their personal information”.

The organisation said that in light of several recent large-scale data breaches, including Aadhaar and CoWIN, in the country “we urge CERT-in to investigate such data breaches immediately”.

In October 2023, the Aadhaar data of around 81 crore citizens was allegedly leaked, and in July 2023, the alleged CoWIN data breach also resulted in the exposure of sensitive personal information.

Further, the firm called for notifying rules under the Digital Personal Data Protection Act, 2023.

Until this is done India will not have an effective “data protection regime to address such harms”, the organisation said.

It further informed that Section 70B of the Information Technology Act empowers CERT-in to conduct security audits and respond to data breaches. Rule 8 of the CERT-in Rules requires CERT-in to respond to cyber security incidents. Rule 9 requires an analysis of such incidents.

 

  

Top Stories


Leave a Comment

Title: Legal services firm asks govt to probe Star Health data breach



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.