Star Health Sues Telegram and Hacker for Data Leak

By Munsif Vengattil and Aditya Kalra

BENGALURU (Reuters) – Top Indian insurer Star Health has initiated a lawsuit against Telegram and a self-proclaimed hacker following reports that the hacker exploited chatbots on the messaging platform to leak personal data and medical reports of policyholders.

The lawsuit arises amidst increasing global scrutiny on Telegram, especially following the recent arrest of its founder, Pavel Durov, in France. Allegations suggest that the app’s features were misused for illegal purposes, which Durov and Telegram have denied while attempting to address the criticism.

Star Health has obtained a temporary court injunction in Tamil Nadu directing Telegram and the hacker to immediately block any chatbots or websites in India that distribute the leaked data publicly.

Additionally, Star Health has included U.S.-listed software company Cloudflare in the lawsuit, claiming that the leaked data was hosted through its services.

The Madras High Court order, dated September 24, quoted Star as stating, “Confidential and personal data of … customers and of the plaintiff’s business activities in general has been hacked and leaked by using the platform (of Telegram).”

Star Health, which has a market capitalization exceeding $4 billion, publicly revealed details of the lawsuit for the first time in a newspaper advertisement in The Hindu on Thursday.

The court has issued notifications to both Telegram and Cloudflare, with the next hearing scheduled for October 25.

In the advertisement, Star Health requested an injunction restraining Telegram and Cloudflare from using the trade name “Star Health” or making any of its data accessible online.

Despite requests for comments, Star Health, Telegram, and Cloudflare did not respond to Reuters.

Telegram, which boasts around 900 million active monthly users, has become one of the largest messaging applications in the world largely due to its chatbot functionality.

Last week, Reuters reported that an individual known as xenZen had made the stolen data, including medical reports of Star customers, publicly available on Telegram shortly after the platform’s founder faced allegations of allowing it to facilitate crime.

Star Health previously mentioned that its assessments indicated “no widespread compromise” and that “sensitive customer data remains secure.”

The two chatbots that disseminated Star Health data were capable of providing claim documents in PDF format and allowed users to request up to 20 samples from 31.2 million datasets with a single click. This included sensitive information like policy numbers, names, and even body mass indices.

In tests conducted by Reuters, over 1,500 files were downloaded, some of which were dated as recently as July 2024. These documents included policy and claims data featuring names, phone numbers, addresses, tax cards, ID copies, test results, medical diagnoses, and blood reports.

On September 16, Reuters alerted Telegram about the chatbots, and within 24 hours, spokesperson Remi Vaughn reported that they had been “taken down.” However, additional chatbots emerged afterward.

Star Health has also named the alleged hacker, xenZen, in the lawsuit. The hacker, in correspondence with Reuters, expressed willingness to participate in the hearings online if allowed.

The Star Health incident is part of a wider trend of hackers utilizing chatbots to sell stolen data. According to a 2022 NordVPN survey, India accounted for the highest percentage of victims, representing 12% of five million affected individuals.