Star Health and Allied Insurance, India’s biggest health insurance company released an official statement last week, regarding the receival of a ransom demand of $68,000 (nearly 57.21 Lakhs) from a cyber hacker. The company was threatened for an alleged leakage of a customer’s medical records and other data. The company admitted for the first time how they had been ‘a victim of cyberattack‘ through a series of emails addressed to the managing director and chief executive by a hacker in August. However, in its Stock Exchange filing, the company mentioned that its functioning remained unaffected by the incident.
Regarding investigations on the attack, the company claimed the engagement of a ‘competent independent third party‘ to participate in the exercise. This breach of customer data was also reported first in September. The company has had to bear the consequences for the same with a reputational crisis since then with an 11% decline in the shares.
Data leaked from India’s largest health insurer?
The hacker exploited the company’s chatbots and dedicated website in order to disseminate the stolen data and continues to share samples of customer information. In response to this, the company launched an internal investigation and initiated a legal action against the hacker and Telegram, the platform where the data leaked. They are collaborating with the Indian Cyber Security authorities to manage the incident.
Star Health said, ‘Despite receiving multiple notices from the company, Telegram has refused to share information about the hacker’s accounts or permanently ban them from the platform.‘ However, the platform claimed they removed the chatbots as soon as they were flagged on it. Through their internal investigations, Star Health identified the hacker as “xenZen” on the platform.
Cost of data breach on companies and customers
It seems that not a day goes by without a headline reporting a data breach at some organisation, putting the company and its customers at risk. According to the IBM Security report on ‘Cost Of A Data Breach in 2024‘, Healthcare data breaches have been the most expensive for 14 years in a row. While companies and partners bear the reputational damages and financial cost bearings, the customer is the worst sufferer when their personal information is leaked. They not only lose faith in the company or the platform where their information got leaked but also suffer from emotional distress due to a sensitive personal information leak that has long-term implications.
A 2021 report by the Identity Theft Resource Center found that 57% of data breaches lead to identity theft. This includes unauthorised access to one’s financial accounts, opening new accounts in the victim’s name, and using their personal information to threaten them and for other fraudulent activities.
A cybersecurity breach has impacts on women’s online participation
The most vulnerable victims of Data Breach are gender and sexual minorities. According to the study, ‘Why Gender Matters in International Cyber Security‘, ‘women and sexual minorities are more profoundly affected by the consequences of data breaches because they may face discrimination or even prosecution as a result. These breaches impact not only their right to privacy but also their sexual and reproductive health rights.‘ Hence, it is important to not just take these incidents as isolated accounts or cyberattacks on companies at large but instead study recurring patterns through intersectional lens on customers too.
As such data breaches affect human rights and shall be analysed beyond just privacy rights considerations. In Star Health’s case, for instance, the company is a critical infrastructure (because of the records of sensitive health data of customers) hence, it should be held accountable too for such data breaches. Even on a national level cyber security policies should be crafted and implemented with a human rights perspective. Given that gender-based violence and inequality are reflected even in the reel world. The digital space also displays a replica of societal norms, cultural expectations, and gender-specific vulnerabilities.
Lasting consequences on women and gender non-confirming individuals
According to UN Women, Women, girls, and gender-non-conforming individuals are more likely to be targeted and experience more severe and lasting consequences because of their gender. Studies across the world show that 16 to 58 percent of women and girls have been targeted by violence online. There is no going back from the digitalisation of the world now and so are the risks to women in cyberspace multiplied.
There are no safe havens to which women can retreat. Another global survey shows that 60 percent of girls and women have faced harassment on social media platforms. This only indicates that online harassment and data breaches will reduce women’s participation in digital spaces. Leading to a lack of voices from the community. When women come from other marginalised identities on grounds of their race, religion, and ethnicity the risks intensify.
In India, at the beginning of July 2021, the internet was horrified after coming across an application hosted on GitHub (an AI-powered developer platform) titled ‘Sulli Deals’ that shared the photographs and social media handles of women belonging to the Muslim community in the country without their consent to purportedly “auction” them. The application aimed to objectify women. It demeaned the targeted women by allowing them to be auctioned for sale to the users of the application.
How effective are the laws on data breaches?
Even though organisations like the National Commission For Women, IT Act, and Digital Data Protection Acts have been in place, we still fail to adequately address the nature of crimes that happen through other intersections. In the GitHub case too as mentioned previously, the data breach followed by instances of online harassment happened specifically towards women belonging to the Muslim community.
Therefore, digital security and instances of data breaches are not simply acts of gender-based harassment but also catalysts to target women from minority and marginalised communities. One in every five young women has opted out of social media after being targeted or harassed. The abuses are further aggravated in cases of women who voice their opinions as well as those women who belong to minority communities on social media platforms and in turn, dissuade them from expressing themselves without any fear or inhibitions.
Women often tend to self-censor their voices and opinions. This squarely violates women’s right to freedom of speech and expression. In a report by the Internet Freedom Foundation, concerns like delayed responses to curb the spread of vitriolic personal information undermined the digital security of women online. The lack of narrowly defined safeguards against data breaches only intensifies the gravity of the cases.
Moreover, law enforcement bodies fail to deliver speedy action against such breaches from time to time. To create a digital world where women and other sexual minorities are free to express themselves, actively participate in the space, and rely on organisations with their sensitive data gendered lens should be taken into account in such cases along with other intersections of identities. A cyber security breach is never isolated from the lived social realities of individuals given the fact that the digital space is nothing but a replica of the offline world.