India’s largest health insurer, Star Health and Allied Insurance Co, continues to face mounting challenges following a significant data breach in 2024, now compounded by alleged physical threats against senior leadership.
In an exclusive report by Reuters, a self-identified hacker using the pseudonym “xenZen” has claimed responsibility for the breach and said they sent threatening packages containing bullet cartridges to Star Health’s Chennai headquarters in February.
The items, reportedly addressed to CEO Anand Roy and CFO Nilesh Kambli, included a note implying imminent violence.
The claims were made in an email to Reuters on March 31, along with photographs of the packages. The news agency could not independently verify the authenticity of the materials or the hacker’s identity.
While Tamil Nadu police have not issued public comments, three law enforcement sources confirmed that an investigation is underway. One official said that a man from Telangana had been detained for allegedly facilitating the delivery of the packages on behalf of the hacker, although further details remain undisclosed.
Star Health said it could not comment on the threats due to an “ongoing, highly sensitive criminal investigation.”
The company had previously launched an internal probe after a cyberattack in 2024 led to the exposure of data related to millions of policyholders. The hacker claimed to have extracted 7.24 terabytes of data affecting more than 31 million customers, including medical records and policy documents.
In October 2024, Star Health initiated legal action in the Madras High Court against Telegram and US-based web company Cloudflare, citing the unauthorised use and distribution of customer data through Telegram chatbots.
The court granted a temporary injunction to block access to the data. The insurer also filed a lawsuit naming the hacker. Telegram removed the chatbots in question, but others emerged shortly after. Neither Telegram nor Cloudflare has issued public responses to the suit.
The legal proceedings have underscored the cybersecurity pressures insurers face in Asia, where digital adoption and cloud migration have expanded data exposure. The Star Health case reflects growing concern across the sector about the safety of sensitive customer information and the personal risk to executives.
These developments also follow broader global concerns around threats to insurance leadership. In December 2024, the CEO of UnitedHealth Group in the US was killed in a targeted attack, highlighting risks that go beyond cyber intrusion.
