Shielding Patient Data: Delhi High Court Moves Against 'Niva Bupa' Extortionists

In a major development regarding digital security in the Indian financial sector, the High Court of Delhi has passed an ex-parte ad-interim injunction against anonymous actors who attempted to extort Niva Bupa Health Insurance Company Limited. Overseeing the matter, Hon'ble Ms. Justice Mini Pushkarna directed the immediate blocking of several domain names and email addresses linked to a sophisticated data leakage campaign.

The Anatomy of a Digital Siege

The legal battle began when Niva Bupa’s leadership, including MD and CEO Krishnan Ramachandran, began receiving threatening emails from an anonymous entity using the pseudonym "xenZen." The attackers claimed to have breached the company’s internal security, acquiring sensitive customer data—including policy details, medical claims, and personally identifiable information—up to February 2025.

The extortionists went as far as creating dedicated portals, NivaBupaLeaks.com and nivabupaleaks.st , to host the stolen data. The threat was explicitly clear: pay a ransom or face the permanent public dissemination of confidential policyholder information. To prove their reach, the hackers even shared data related to a policy issued on the same day the threat was sent.

Legal Strategy and Precedents

The court found that the plaintiff had demonstrated a clear prima facie case, noting that the threat of irreparable loss to both the company’s reputation and the privacy rights of its thousands of customers necessitated immediate judicial intervention.

The court drew heavily from recent jurisprudence regarding cybersecurity and data leaks. Specifically, the court referenced the ongoing Star Health and Allied Insurance Co. Ltd. vs. Telegram Messenger & Ors. matter from the Madras High Court, which established that the high-stakes nature of financial data requires proactive judicial protection. The Delhi High Court also noted its own previous handling of a similar incident involving Niva Bupa in December 2024, emphasizing that these organized ransomware-style attacks on the insurance sector have become a recurring threat.

Key Observations

The Court underscored the gravity of the situation in its order:

• "In view of the above circumstances, the plaintiff has demonstrated a prima facie case for grant of injunction and in case no ex-parte ad-interim injunction is granted, the plaintiff will suffer an irreparable loss."
• "The unauthorized access and/or dissemination of the confidential information, can lead to severe consequences, including, identity theft, where hackers may impersonate individuals for fraudulent transactions, causing reputational harm."
• "The plaintiff also has a legal and contractual obligation to protect the security of such data and privacy of its clients."

The Court’s Mandate

The High Court’s order acts as a digital protective shield, requiring: 1. Domain Take-downs: Registry operators must permanently disable the rogue websites NivaBupaLeaks.com and nivabupaleaks.st . 2. Communication Blackout: Internet intermediaries are directed to block specific email IDs used by the extortionists to contact the insurance firm. 3. Discovery: The defendants (domain registrars and intermediaries) must disclose KYC details and logs of the individuals behind these attacks to aid law enforcement. 4. Future-proofing: The order allows the plaintiff to approach the Joint Registrar to extend these protections to any new rogue domains or links that may emerge during the pendency of the suit.

This order serves as a stern warning against cybercriminals targeting India’s financial institutions, reaffirming that the court will not hesitate to grant "John Doe" style injunctions to protect the financial and personal integrity of citizens and corporate entities alike.

The matter is now listed for further proceedings on August 28, 2025, while the law enforcement investigation at the Cyber South Police Station in Gurugram continues in parallel.