Niva Bupa investigates potential data breaches following the threat actor’s claim

Niva Bupa Health Insurance, India’s leading provider of health insurance products, has launched an investigation into a potential data breach after receiving an anonymous claim of unauthorized access to its customer information. The company confirmed on Friday that a threat actor had contacted them via email, asserting they had obtained sensitive customer data.

Niva Bupa is a joint venture between Bupa and True North focusing on accessible and comprehensive healthcare coverage. The company acknowledged the claim and assured stakeholders that it was urgently treating the matter. While the insurer confirmed it had received the email alleging possession of customer data, no further details about the scale or nature of the breach have been disclosed.

The alleged breach follows Niva Bupa’s recent public listing in November 2024, during which it raised Rs 800 crore through a fresh issue of shares. The IPO also included an offer for sale by Bupa Plc and a special purpose vehicle backed by private equity firms True North and Faering Capital, which collectively held a 17.47% stake as of December 31, 2024. The insurer’s shareholder base includes prominent investors such as Singapore’s state investment firm Temasek, alongside Indian private equity firms A91 Partners and Motilal Oswal Alternates. Both Temasek and A91 had increased their stakes ahead of the IPO.

The cybersecurity incident adds to a growing list of data breaches affecting India’s insurance sector. In recent months, HDFC Life Insurance disclosed that customer data had been shared with them from an unidentified source. At the same time, Star Health reported in August 2024 that medical records and other customer information had been compromised.

With cybersecurity threats becoming more frequent in the financial and healthcare industries, data privacy and regulatory compliance concerns are escalating. Niva Bupa has assured customers that it is taking all necessary steps to investigate the matter and reinforce its security protocols to mitigate potential risks. The company’s response underscores the critical need for robust data protection measures as organizations handling sensitive consumer information remain prime targets for cyberattacks.