A petition filed before the Madras High Court calls for a government-led investigation into a significant data breach at Star Health and Allied Insurance, one of India’s largest national insurance firms. The case, filed by cybersecurity researcher Himanshu Pathak, was heard by Justice M. Dhandapani on Monday, who indicated that the Court would issue an order on October 17 regarding whether the Union government has the authority to conduct such a probe.
Pathak’s petition highlights the gravity of the cyberattack, which allegedly exposed the personal data of around 3.1 crore Star Health customers. The breach compromised sensitive information, including mobile numbers, PAN details, addresses, and pre-existing medical conditions.
The data was reportedly leaked on a website run by a hacker known as xenZen. The hacker claims that the company’s Chief Information Security Officer (CISO) played a key role in the incident, a claim that the company denied.
The hacker alleges that Star Health’s CISO sold customer data and later attempted to alter the terms of their illicit agreement. These claims have further fueled calls for a thorough investigation into the company’s senior management role.

The petition demands that the Union government alongwith the Securities and Exchange Board of India (SEBI) should intervene and investigate Star Health. Till the investigations are complete, Star Health’s online operations should be suspended, reports Bar and Bench.
Additionally, the petition demands that the government investigate the alleged relationship between the company’s CISO and the Chinese hacker.
While Pathak’s counsel, Senior Advocate Srinath Sridevan, urged the Court to direct the Union government to lead the inquiry, the Ministry of Electronics and Information Technology (MeitY) contended that such a probe falls under the jurisdiction of the Insurance Regulatory and Development Authority (IRDA) rather than the Central government.
On October 9, Star Health confirmed that it had been the victim of a cyberattack that resulted in unauthorised access to its data. The company noted in a public statement that it had already initiated an internal investigation.
Additionally, the firm informed the Court that it had filed a civil suit to prevent the public disclosure of any customer information.
In the News: Brazil hit by spear phishing campaign using Astaroth malware