By Munsif Vengattil, Praveen Paramasivam and Aditya Kalra
NEW DELHI (Reuters) -The hacker who leaked sensitive personal data held by Indian health insurer Star Health last year has taken responsibility for sending death threats and bullets to the company’s chief executive and finance head.
The hacker, who goes by the alias “xenZen”, described their reprisals against Star Health and Allied Insurance Company in a March 31 email to Reuters. The news agency is reporting them for the first time.
Star Health, India’s biggest health insurer, has faced criticism from customers and data security experts since Reuters reported last September that xenZen had leaked sensitive client data, including medical reports. At the time, xenZen told Reuters in an email they possessed 7.24 terabytes of data related to over 31 million Star Health customers and was speaking to potential buyers for the data.
The news agency hasn’t independently confirmed the identity or location of xenZen, the accuracy of the facts laid out in the March 31 email or the hacker’s motive for targeting Star Health and its executives, which the email ascribed to the company’s denial of medical claims to certain customers.
In response to questions from Reuters, Star Health’s chief legal officer said in a statement the company could not comment “due to an ongoing, highly sensitive criminal investigation” related to its data leak.
XenZen said they had concealed bullet cartridges in two packages sent to Star Health’s head office in the southern Indian city of Chennai, in Tamil Nadu state, in February.
The email included photographs that showed the packages addressed to Chief Executive Anand Roy and Chief Financial Officer Nilesh Kambli and a note inside which read: “next one will go in ur and ur peoples head. tik tik tik.”
Roy did not respond to a phone call requesting comment, while Kambli told Reuters Star Health’s public relations team would respond on his behalf. The company did not respond to further requests for comment.
The New Indian Express on Saturday reported that police in Tamil Nadu were investigating the threats and had linked them to xenZen.
Tamil Nadu police did not respond to Reuters queries.
Three Indian police sources confirmed an investigation was underway. They declined to be named as the matter is confidential.
One police source said a man from the neighbouring state of Telangana, who the source did not name, has been arrested in recent days for allegedly helping courier the packages to Star Health on behalf of xenZen.
Reuters was unable to identify the individual or the status of his detention.
Globally, health care companies have been reassessing the risks for their top executives after UnitedHealthcare Chief Executive Brian Thompson was murdered in a targeted attack in December. The killing also called fresh attention to deepening patient anger over health insurance.
In the March 31 email to Reuters, xenZen referred to the killing of Thompson and said the death threats to the Star Health executives were sent after the hacker was contacted for help by customers of Star Health who had been denied claims on medical bills despite coverage plans with the company.
Star Health did not comment on what xenZen described as their motive, the claims of dissatisfied customers being denied or the police investigation into the threats.
Star Health launched internal investigations into last year’s data leak, which the company said followed a ransom demand of $68,000 from the hacker.
Star Health last September sued xenZen and messaging app Telegram for hosting the sensitive customer data on its chatbots, court papers show. The chatbots hosting the stolen data have since been deleted and the case is ongoing.
(Reporting by Munsif Vengattil, Aditya Kalra and Praveen Paramasivam; Editing by Lincoln Feast.)
