The hacker known as “xenZen”, who last year leaked sensitive data from Star Health and Allied Insurance Company—India’s largest health insurer—has claimed responsibility for sending death threats and bullet cartridges to the company’s top executives, according to a March 31 email obtained by Reuters.
In a chilling escalation, xenZen said the threats were a direct reprisal for the insurer’s alleged denial of medical claims to customers. The packages, reportedly sent in February to Star Health’s headquarters in Chennai, Tamil Nadu, were addressed to CEO Anand Roy and CFO Nilesh Kambli. Inside, a note warned:
“next one will go in ur and ur peoples head. tik tik tik.”
Reuters reviewed photographs included in the hacker’s email that appear to show the threatening packages. While the news agency has not independently verified the hacker’s identity or the full accuracy of the information provided, three Indian police sources confirmed that a criminal investigation is underway. According to one source, a man in the neighboring state of Telangana has been arrested for allegedly facilitating the delivery of the packages.
Star Health declined to comment in detail, citing an “ongoing, highly sensitive criminal investigation.” CFO Kambli directed inquiries to the company’s PR team, and CEO Roy did not respond to calls for comment.
The case adds to growing concerns over executive security in the healthcare industry, especially after the murder of UnitedHealthcare CEO Brian Thompson in December — an incident that reportedly inspired xenZen’s threats.
Last year, the hacker leaked what they claimed was 7.24 terabytes of personal data related to over 31 million customers, including medical reports and insurance details. Star Health confirmed the data breach, which followed a ransom demand of $68,000. The company has since launched legal action against xenZen and Telegram, which was used to distribute the stolen data via chatbots. Those bots have since been removed.
In the latest email, xenZen claimed the threats followed requests from disgruntled customers who alleged their valid claims had been denied despite having coverage. Star Health has not responded to these specific allegations.
As the case unfolds, the incident raises urgent questions about data security, corporate accountability, and the physical safety of executives in an era where cyberattacks increasingly blur into real-world consequences.
