Star Health Data Breach | Madras High Court Dismisses Plea By Cyber Security Expert Seeking Probe Into Security Lapses
The Madras High Court has dismissed an appeal filed by cybersecurity specialist Himanshu Pathak against a single judge's order dismissing his plea seeking directions to the Ministry of Electronics and Information Technology, the Ministry of Finance, the Ministry of Home Affairs, the Ministry of Corporate Affairs, IRDAI, and SEBI to inquire into alleged data security lapses in Star Heath Insurance Company.
The bench of Chief Justice SA Dharmadhikari and Justice G Arul Murugan noted that while dismissing his writ petition, the single judge had rightly given him liberty to work out his remedies in pending civil proceedings, and thus there was no error or infirmity in the decision of the writ court.
“When both the civil and criminal cases are pending against the appellant and the issue is sub judice before the concerned courts, any further claim or action by the appellant would only be based on the ultimate decisions to be arrived at in the pending proceedings,” the court said.
Pathak had approached the court to direct the Ministries to take action based on his representation, in which he had claimed that the company's security system had vulnerabilities and any person could access its data. While the petition was pending, on October 9 2024, Star Health became a victim of the cyber-attack.
Pathak submitted that he was a policy holder with Star Health and when he viewed details of his policy in the company's website, he noted that there were certain vulnerabilities in the website, by which third parties could have access to view the profile of other policy holders and there were chances of data being stolen.
Pathak submitted that though the company had thanked him for bringing the same to their notice, they later filed a suit against him for unauthorisedly accessing and collecting data, and stealing the same. An interim injunction was passed against Pathak which was later made final. A complaint was also lodged by the CCD for offences under Section 66 and 43(b) of the Information Technology Act.
Pathak submitted that though he had preferred a complaint with all ministries, but no action had been taken. This prompted him to approach the writ court which had dismissed the plea noting that a civil suit filed by the company against Pathak was already pending and that there could not be parallel proceedings for the same issue. Against this, Pathak had preferred the present appeal.
Star Health opposed the appeal and submitted that Pathak, who was a service provider in cyber security had hacked their data and threatened them for a ransom to avail his services. The company submitted that due to the cyber breach committed by Pathak, the company had also lodged an FIR and the chargesheet had also been filed. A plea filed by Pathak to quash the case was also dismissed.
The company submitted that Pathak had filed the plea only to scape from the legal consequences. With respect to the data breach, the company informed the court that it had reported the incident to all the authorities and necessary steps had been taken. It was submitted that a foolproof cyber security system was also in place. The company thus argued that the writ court had rightly rejected Pathak's plea and the same did not warrant any interference.
The court noted that Pathak would have had a right to seek remedy if there were allegations of data being stolen or removed from the online portal of the company. In the present case, the court noted that Pathak's only claim was that he was able to access the details of other policy holders using certain methods. The court noted that Pathak had neither obtained the company's permission before accessing data of other policy holders nor was his services availed by the company. The court thus remarked that Pathak's action amounted to intrusion or unauthorised access. The court however refrained from making any comments on the issue since the matters were sub-judice.
The court noted that Pathak, being involved in the business of providing cyber security had accessed the company's portal and attempted to prevail the company to engage his services.
“In the absence of any lapse or data breach by any one, the appellant himself, having committed an illegal access and data breach, had after his attempt and negotiation ended in failure and faced with the civil and criminal proceedings, had thought it fit to raise a complaint. When none of the personal right of the appellant is affected and his personal data has not been breached, the writ petitions filed itself is not maintainable,” the court observed.
Thus, finding no infirmities in the writ court's order, the bench dismissed the appeal.
Counsel for Petitioner: Mr. Nithyaesh Nataraj for Mr. Vaibhav Rangarajan Venkatesh
Counsel for Respondent: Mr. Krishna Srinivasan Senior Counsel for M/s. S. Ramasubramaniam and Associates
Case Title: Himanshu Pathak v Ministry of Electronics and Information Technology
Citation: 2026 LiveLaw (Mad) 154
Case No: W.A.Nos.640, 641, 645, 827, 828 and 829 of 2026