Introduction:

In a significant legal development, the Delhi High Court granted a temporary injunction in favor of Niva Bupa Health Insurance Company Ltd. (“Niva Bupa”), restraining unknown entities from publishing, distributing, or disclosing the company’s confidential customer data following a ransomware threat. The court also directed the removal of a rogue website, NivaBupaLeaks.com, which had unlawfully published sensitive information.

Background:

Niva Bupa, a prominent health insurance provider, collects and stores sensitive personal data of its customers as part of its business processes and to meet statutory and regulatory obligations. This data includes names, identity proofs, addresses, policy details, premium information, mobile numbers, and other personal information.

On February 20, 2025, Niva Bupa officials received an email from an anonymous individual, referred to as “John Doe” in legal proceedings, claiming to have acquired all of Niva Bupa India’s customer and insurance claims data. The email provided details of a website, NivaBupaLeaks.com, where the confidential data had been uploaded, and suggested that the issue could be resolved if the company paid a satisfactory price. Subsequently, Niva Bupa’s Managing Director and CEO received another email from the same individual, sharing insurance claim documents of Niva’s customers and threatening permanent damage unless a deal was made.

Plaintiff’s Arguments:

Represented by Senior Advocate Pradeep K. Bakshi, Niva Bupa contended that the unknown defendant had unlawfully acquired its confidential information with the intent to misuse it. The creation of a website using Niva Bupa’s trademarks, “Bupa” and “Niva Bupa,” indicated a high likelihood of impersonation and potential fraud against its customers. The unauthorized access and dissemination of confidential information could lead to severe consequences, including identity theft, financial fraud, privacy violations, and phishing attacks. Such misuse posed significant risks to Niva Bupa’s brand and reputation, customer trust, and regulatory obligations. The company also argued that unauthorized dissemination of its data would undermine its competitive position in the insurance market.

Niva Bupa further referenced a previous case, Niva Bupa Health Insurance Company Ltd. vs. Telegram FZ-LLC & Ors (2024), where the Delhi High Court issued a temporary injunction in favor of Niva Bupa under similar circumstances. In that case, the court restrained unknown defendants from publishing, distributing, or disclosing its customers’ personal data following a ransomware extortion threat and directed social media intermediaries, including Telegram, to remove access to the unknown defendant’s accounts and domain names used to transmit the customers’ confidential data.

Court’s Judgment:

Justice Mini Pushkarna, after considering the plaintiff’s submissions, observed that Niva Bupa had demonstrated a prima facie case for the grant of an injunction. The court noted that if an ex-parte ad-interim injunction was not granted, the plaintiff would suffer irreparable loss, and the balance of convenience lay in favor of the plaintiff.

Consequently, the court issued the following directions:

• Restraint on the Unknown Defendant: The unknown defendant was restrained from using, copying, publishing, distributing, transmitting, communicating, or disclosing Niva Bupa’s confidential information by any medium or on any platform. The defendant was also prohibited from publishing, uploading, or circulating any content depicting the use of any trademark identical or deceptively similar to Niva Bupa’s trademarks.
• Removal of Rogue Website: The court directed the removal of the rogue website, NivaBupaLeaks.com, and ordered the blocking of email IDs associated with the unknown defendant. The domain registrar was instructed not to register the rogue website or any other name identical to Niva Bupa’s brand name as part of any domain name in the future.
• Compliance by Intermediaries: Social media intermediaries and other relevant platforms were directed to remove, delete, block, and disable accounts, content, and data disseminating Niva Bupa’s confidential information within 24 hours of intimation by the plaintiff.

Conclusion:

The Delhi High Court’s swift and decisive action underscores the judiciary’s commitment to protecting individuals’ privacy rights and the confidentiality of sensitive customer data. In an era where cyber threats are increasingly sophisticated, this judgment serves as a crucial precedent for organizations facing similar challenges, emphasizing the importance of robust legal frameworks and proactive measures to safeguard against data breaches and ransomware attacks.