A hacker known as “xenZen,” who last year exposed over 31 million sensitive customer records from India’s largest health insurer, Star Health, has claimed responsibility for sending bullets and death threats to two of the company’s top executives.
In a chilling email sent to Reuters on March 31, the hacker said the threats targeted Chief Executive Anand Roy and Chief Financial Officer Nilesh Kambli. The attack stems from accusations that Star Health and Allied Insurance Company denied legitimate medical claims to certain policyholders, some of whom reportedly turned to xenZen for help.
Star Health has been under scrutiny since September 2024, when Reuters reported that xenZen had breached the company’s systems and stolen approximately 7.24 terabytes of data. The leak included highly sensitive customer information such as medical records. The hacker then claimed they were in talks with potential buyers of the stolen data.
The March 31 email included photos of two packages addressed to Roy and Kambli at Star Health’s headquarters in Chennai, Tamil Nadu. Inside were live bullet cartridges and a threatening note that read, “next one will go in ur and ur peoples head. tik tik tik.” According to Reuters, Star Health has not publicly responded to these threats, and requests for comment to both executives were either declined or redirected to the company’s PR team—which has remained silent.
Tamil Nadu police have launched a criminal investigation and have reportedly made one arrest. A man from Telangana is suspected of helping courier the threatening packages on behalf of xenZen, though further details remain confidential. The police have not yet released a public statement, and Reuters has not been able to confirm the hacker’s identity or the full accuracy of their claims.
This development adds to growing concern over the security and accountability of health insurers in India. It also comes amid global anxiety in the sector following the December 2024 murder of UnitedHealthcare CEO Brian Thompson in the U.S., a case that authorities say was connected to rising anger over health insurance denials.
Star Health, for its part, is currently facing a lawsuit it filed last year against xenZen and messaging platform Telegram, which was allegedly used to host the leaked customer data. The lawsuit is ongoing, and the Telegram-hosted chatbots containing the stolen information have since been taken down.
As investigations continue, the incident raises urgent questions about corporate responsibility, data protection, and the extreme lengths some individuals may go to when they feel wronged by large institutions.
