IRDAI action against Care Health Insurance Ltd. for claim settlement, governance & accounting failures

The Insurance Regulatory and Development Authority of India (IRDAI) has passed a detailed enforcement order against Care Health Insurance Ltd. after a remote inspection exposed wide-ranging regulatory breaches relating to policyholder communication, claims handling, cyber security, reinsurance accounting and management of policyholder funds.

While multiple charges resulted in formal warnings and advisories, the Authority has imposed a monetary penalty of Rs. 1 crore under Section 102 of the Insurance Act 1938, primarily on account of serious deficiencies in health claim processing and related corporate governance lapses.

This order, bearing reference IRDAI/E&C/ORD/MISC/138/12/2025 and dated 15th December 2025, arises from a remote inspection conducted between 30th August 2021 and 9th September 2021, followed by extensive correspondence, a personal hearing, and post‑hearing submissions by the insurer.

Regulatory background and proceedings

Inspection and follow-up

IRDAI initiated a remote inspection of Care Health Insurance Ltd. for the period 30th August 2021 to 9th September 2021. The resulting inspection report, which highlighted breaches of the Insurance Act, 1938 and multiple regulations, guidelines and circulars issued thereunder, was forwarded to the insurer on 10th August 2022 for comments. The insurer responded by email dated 12th September 2022.

After reviewing these responses, the Authority issued a Show Cause Notice (SCN) vide Ref. No. IRDA / E&C / 2022-23 / 704 / SCN/LR/072 on 13th December 2024. The insurer’s reply was received on 18th January 2025.

On the insurer’s request, a personal hearing was granted on 18th June 2025, chaired by:

  • Shri Deepak Sood, Member (Non-Life), and
  • Shri P K Arora, Member (Actuary).

Senior officials of the insurer, including the Managing Director & CEO, Chief Financial Officer, Chief Risk Officer, Head – Claims and Head – IT, participated in the hearing. Additional written submissions were filed on 30th June 2025.

The Authority evaluated all replies to the inspection report, the SCN response, oral submissions during the hearing and subsequent undertakings before crystallising the charges and final directions.

Charge 1 – Non-compliance in grievance closure communication and ombudsman details

Regulatory provisions involved

IRDAI examined violations of:

  • Clause-5 (ii) of Annexure-I under Regulations-17 (2) of IRDAI (Protection of Policyholders’ Interests) Regulations, 2017; and
  • Clause-6 of IRDAI’s Guidelines on Corporate Governance (Ref. No. IRDA/F&A/GDL/CG/100/05/2016 dated 18th May 2016).

Core inspection findings – Ombudsman information (Observation A‑11)

The inspection revealed that whenever a grievance was rejected or closed against the policyholder’s interest, the insurer:

  1. Did not explicitly mention the name and postal address of the competent Insurance Ombudsman in closure or claim repudiation letters, and
  2. Limited the letters to customer care contact numbers and generic email IDs.

As a result, assessee‑policyholders who were dissatisfied with the resolution were not clearly informed of their statutory right to approach the Insurance Ombudsman, nor were they told which Ombudsman was competent for their case.

Insurer’s defence and corrective actions

The insurer argued that:

  • Ombudsman details were provided via hyperlink in grievance communications due to frequent jurisdictional changes;
  • From 27th December 2024, they had begun manually appending Ombudsman particulars in communications, and sample letters were submitted;
  • At the hearing, the Authority pointed out that even the 27th December 2024 email only contained a link rather than the specific Ombudsman name and address; the insurer acknowledged gaps in compliance;
  • A system-based enhancement was rolled out on 6th June 2025 to auto-populate specific Ombudsman details for customers; and
  • An undertaking dated 30th June 2025, signed by the MD & CEO and the Chief Compliance Officer (CCO), confirmed that all grievance resolution and claim rejection letters would henceforth carry full Ombudsman details.

IRDAI’s concerns and decision on Charge 1

IRDAI held that providing only a hyperlink severely compromised the ease of access to grievance redressal for policyholders, placing the onus on them to identify the correct Ombudsman. This was seen as inconsistent with the spirit of policyholder protection and good corporate governance.

Although the insurer has now modified its process, the Authority recorded non-compliance for the relevant period and has:

  • Warned the insurer for violation of the above‑stated provisions; and
  • Stated that any repeat lapse will invite far more stringent regulatory action.

Charge 2 – Delay in closure of cyber security vulnerabilities

The Authority examined contraventions of:

  • Clause 14.4(c) of circular no. IRDA/IT/CIR/MISC/301/12/2020 dated 30.12.2021; and
  • Clause-6 of the Corporate Governance Guidelines (Ref. No. IRDA/F&A/GDL/CG/100/05/2016).

Inspection findings – Vulnerability management (Observation B‑14)

As part of its Information and Cyber Security Policy, the insurer had outsourced Vulnerability Assessment and Penetration Testing (VAPT) to third‑party security firms. Verification audits between 04.04.2020 and 25.02.2021 showed that:

  • Out of 290 identified vulnerabilities, 75 were closed after the agreed turnaround time (TAT);
  • This included 13 vulnerabilities categorised as critical and high severity; and
  • In at least one case, the vulnerability remained open even after the lapse of TAT.

Insurer’s explanation

The insurer stated that:

  • Certain observations required longer time due to product dependencies and complex IT integrations;
  • Unresolved items beyond TAT were escalated to the Information Security Risk Management Committee (ISRMC) with risk assessment and compensating controls, in line with IRDAI Cyber Security Guidelines, 2023;
  • All critical/high‑severity observations existing at the time of inspection had been closed and implemented; and
  • A detailed vulnerability status as on 31st March 2025 was presented to the ISRMC in its meeting on 18th April 2025, with no items pending closure.

IRDAI’s ruling on Charge 2

IRDAI concluded that there had been a breach of the above provisions and:

  • Issued a warning for the identified violations; and
  • Directed the insurer to place the current status of vulnerability management before the Board‑constituted Risk Management Committee and submit an action taken report within 90 days of the order.

Charge 3 – Major lapses in health claim documentation, discounts and communication

Charge 3 consolidates three connected observations, all of which relate to health claim handling and communication to assessee‑policyholders.

(A) Missing patient signatures in cashless claim documents (Observation C‑15)

Relevant provisions

IRDAI examined violations of: