Barriers to the protection of patient data and  the need for immediate action in light of recent  data breach incidents in India

Shashank Chaturvedi

Shashank Chaturvedi Capstone Project by Cohort 6 of the National Cyber Security Scholar Program

Abstract

In Oct 2024, India’s popular health insurer, Star Health Insurance, faced a massive data leak, which may have compromised the data of 31 million customers. It included names, addresses, dates of birth, health records, Aadhaar card details, and even PAN card photos. It was one of the many data breaches related to patients’ data in the recent past. The DPDP Act was passed on August 11, 2023, after five years of legislative development in light of data breaches. It still awaits the formation of the Data Protection Board of India. This Board will be an enforcement authority, ensuring compliance with the provisions of the Act. Until then, the Act remains unenforceable. DPDP adopts a holistic approach to protecting personal data. In this paper, the factors contributing to the barriers to protecting patients’ data have been explored by analysing the global regulations, laws, or provisions and mapped in the Indian context by examining the expanding digital healthcare footprint in terms of various schemes and initiatives. The paper explores the primary factors as bureaucratic challenges, highlighting that the Digital Healthcare Information Security Act (DISHA) draft was released in 2018; however, it has still not been enacted, considering precedence to DPDP. The second factor is the scoping of the DPDP itself & challenges concerning the emerging technologies that do not categorise patients’ data as “sensitive personal data, “ which has a higher threshold than regular consent, requiring a specialised focus on patients’ data. The third factor lies in the societal state, highlighted by the lack of awareness about data privacy rights. Finally, the fourth factor explores the complex regulatory ecosystem wherein no single, holistic law covers health data protection in India, especially considering emerging technologies such as AI and blockchain. The need for a harmonised and coherent approach to data privacy has been highlighted as a recommendation in the paper.

References

1. Kirimlioglu N. The right to privacy” and the patient views in the context of the personal data protection
in the field of health. Biomedical Research. 2017 Jan 1;28(4):1464-71. the-right-to-privacy-and-the-patient
views-in-the-context-of-the-personal-data-protectionin-the-field-of-health
2. Worldometer. India Population (2025) [Internet]. Dover, Chaturvedi S J. Adv Res. Electro. Engi. Tech. 2025; 12(1&2) DE: Dadax; c2025 [cited 2025 Jul 14]. Available from: https://www.worldometers.info/world-population/
india-population/
3. Press Information Bureau. Social welfare schemes: expenditure increased to ₹23.5 lakh crore [Internet].
New Delhi: Press Information Bureau; 22 Jul 2024 [cited 2025 Jul 14]. Available from: https://www.pib.gov.in/
PressReleasePage.aspx?PRID=2034937
4. Ministry of Health & Family Welfare (India). National Digital Health Blueprint: Report—comments invited
[Internet]. New Delhi: MoHFW; 2019 Jul 15 [cited 2025 Jul 14]. Available from: https://mohfw.gov.in/sites/
default/files/National_Digital_Health_Blueprint_Report_comments_invited.pdf
5. Press Information Bureau. Revolutionising Healthcare: Digital Innovations in India’s Health Sector. New Delhi:
Press Information Bureau; [year unknown] [cited 2025 Jul 14]. Available from: https://pib.gov.in/PressNoteDe
tails.aspx?NoteId=151782&ModuleId=3®=3&lang=1
6. Statista. Digital Health – India [Internet]. Statista; 2025 [cited 2025 Jul 14]. Available from: https://www.statis
ta.com/outlook/hmo/digital-health/india
7. Ministry of Health & Family Welfare (India). Advancing Mental Healthcare in India [Internet]. New Delhi: MoHFW; 2025 Feb 11 [cited 2025 Jul 14]. Available from: https://mohfw.gov.in/sites/default/ files/9147562941489753121.pdf
8. Arthur D. Little. Catalyzing digital health in India [Internet]. 2024. Available from: https://www.adlittle.
com/sites/default/files/reports/ADL_Catalyzing_digital_health_India_2024_0.pdf
9. The Economic Times. Exploring Karjat’s monsoon magic: Nature, wellness, and new-age living. The Econom
ic Times [Internet]. 2025 Jul 10 [cited 2025 Jul 14]; Industry/Services/Property-Construction. Available
from: https://economictimes.indiatimes.com/industry/services/property-/-cstruction/exploring-karjats
monsoon-magic-nature-wellness-and-new-age-living/articleshow/122348093.cms
10. Naithani P. Protecting healthcare privacy: analysis of data protection developments in India. Indian J
Med Ethics [Internet]. 2023 Dec 18 [cited 2025 Jul 14];9(2):149–153. doi:10.20529/IJME.2023.078. PMID Available from: https://ijme.in/articles/protecting-healthcare-privacy-analysis-of-data-protection-developments-in-india/?galley=html&utm_medium=email&utm_source=sendpress&utm_campaign