Sources said the company is also faced with high attrition of field and branch-level staff, particularly those in tier-2 and tier-3 cities.
The fallout owing to the massive data breach at Star Health and Allied Insurance Co. Ltd may have sparked a leadership crisis, according to sources, with at least three to four CXO-level executives said to have expressed their desire to move on from the company.
The executives, according to the sources cited, include the insurer’s Chief Risk Officer, Chief Financial Officer, Chief Compliance Officer, and Chief Information Security Compliance Officer (CISCO). These top executives play a critical role in keeping the company’s cybersecurity intact, and hence are a critical part of the ongoing investigations.
Staff exodus
Sources said the company is also faced with high attrition of field and branch-level staff, particularly those in tier-2 and tier-3 cities. According to multiple people aware of the developments, about 1,600-1,800 employees across various locations have either resigned or have been asked to leave by the company.
“The excessive pressure on business and an internal re-organisation of roles has prompted some employees at the field and branch levels to quit the company. Some employees were asked to leave because redundancies were identified,” said a senior executive who did not want to be named.
However, Star Health responded to Moneycontrol’s queries, saying, “Our attrition levels over the past year have been in line with historical trends and remain well below the industry average. We see no anomaly or pattern that suggests otherwise.”
Cyber breaches
To compound the matter, the company’s cyber breaches may make it susceptible to financial penalties under India’s proposed digital protection laws, namely the Digital Personal Data Protection Act (DPDP Act) 2023. If tried under this law, it could have a significant financial impact from the breach, considering the scale and sensitivity of the compromised health data, which is classified as high-risk.
Story continues below Advertisement
India’s Information Technology Directions 2022 mandates companies to report data breaches within six hours, or they face penalties for an offense under Section 70B(C), which carries fines of up to Rs 17.6 crore per breach.
Under the DPDP Act, the company may have to pay up a penalty of up to Rs 250 crore for failing to secure the policyholders’ health data, said Surya Senthil, Litigator & Advisor, Former Madras High Court Advocate and Member Judge, Government of India.
However, the contentious issue is that while the ‘Act’ is in place, the ‘rules’ are yet to be formulated for implementation of the DPDP Act.
Hence, “the retrospective nature of DPDP Act still remains unclear,” said Senthil.
When asked for a clarification on the financial impact of the breaches, the company denied these claims and said, “The figure being speculated is entirely unfounded and unrealistic. Any projection of penalties is purely speculative and misleading.”
A recent report by Reuters pegged that data of at least 30 million users may have been compromised, though Moneycontrol could not independently verify this number.
Sources cited say the breach may have exposed critical data such as names, phone numbers, addresses, Aadhaar and PAN card copies, medical test results, diagnoses, policy details, tax records, passport-size photos, weight, height, blood tests, ECGs, X-rays, hospital bills, injury photos, and pre-existing disease records, potentially including data of children covered under the insurance plans of their parents.
The breach’s accessibility via Telegram chatbots amplified its impact, allowing anyone to query and retrieve specific customer records within minutes.
Star Health, with assistance from the Madras High Court and the Indian Cyber Crime Coordination Centre, shut down the Telegram bots and websites by October 2024, though the extent to which the data was downloaded or distributed remains unclear.
The company has filed a lawsuit against Telegram, seeking to block the spread of leaked customer data through Telegram chatbots and other platforms. Telegram has denied wrongdoing and is cooperating with the investigation, according to the earlier cited the Reuters report.
Hacker havoc
According to Reuters, the hacker, under the name “xenZen” has claimed to possess 7.24 terabytes of data, offering it for sale at $150,000 for the entire database.
Sometime last year, xenZen alleged in a post on X that Star Health’s Chief Information Security Officer (CISO), Amarjeet Khanuja, sold the data for $43,000 and later demanded an additional $150,000, alleging the senior management wanted a cut. However, two independent forensic probes commissioned by Star Health found no evidence of the CISO’s involvement, labelling the hacker’s accusations as fabricated, according to reports.
The saga took a darker turn on May 9, 2025, when xenZen sent death threats and bullets to Star Health executives, targeting them over denied insurance claims, according to Reuters.
The breach was first noticed by Star Health’s on August 13, 2024, when an unidentified person contacted the company claiming access to “a few claims data”, post which the company reported the matter to the Tamil Nadu cybercrime department and India’s federal cybersecurity agency, CERT-In (Computer Emergency Response Team).
In a stock exchange filing dated August 14, 2024, the company described the incident as a limited breach with “no widespread compromise.”
“The unauthorised acquisition and dissemination of customer data is illegal, and we are actively working with law enforcement to address this criminal activity,” Star Health said in a media statement on August 24.
