Barriers to the protection of patient data and the need for immediate action in light of recent data breach incidents in India
Abstract
In Oct 2024, India's popular health insurer, Star Health Insurance, faced a massive data leak, which may have compromised the data of 31 million customers. It included names, addresses, date of birth, health records, Aadhaar card details, and even PAN card photos. It was one of the many data breaches related to patients' data in the recent past. The DPDP Act was passed on August 11, 2023, after five years of legislative development in light of data breaches. It still awaits the formation of the Data Protection Board of India . This Board will be an enforcement authority, ensuring compliance with the provisions of the Act. Until then, the Act remains unenforceable. DPDP adopts a holistic approach to protecting personal data. In this paper, the factors contributing to the barriers to protecting patients' data have been explored by analysing the global regulations, laws or provisions and mapped in the Indian context by examining the expanding digital healthcare footprint in terms of various schemes and initiatives. The paper explores the primary factors as bureaucratic challenges, highlighting that the Digital Healthcare Information Security Act (DISHA) draft was released in 2018; however, it has still not been enacted, considering precedence to DPDP. The second factor is the scoping of the DPDP itself & challenges concerning the emerging technologies which do not categorize patients' data as "sensitive personal data" , which has a higher threshold than regular consent, requiring a specialized focus on patients' data. The third factor lies in the societal State, highlighted by the lack of awareness about data privacy rights.
Finally, the fourth factor explores the complex regulatory ecosystem wherein no single, holistic law covers health data protection in India, especially considering emerging technologies such as AI and blockchain. The need for a harmonized and coherent approach to data privacy has been highlighted as a recommendation in the paper.
References
health. the-right-to-privacy-and-the-patient-views-in-the-context-of-the-personal-data-protection-in-the-
field-of-health
2. India Population (2024) - https://www.worldometers. info/world-population/india-population/
3. Press Release: Press https://pib.gov.in/PressReleasePage.aspx?PRID=2034937
4. National Health Blueprint https://mohfw.gov.in/sites/default/files/National_Digital_Health_Blueprint_
Report_comments_invited.pdf
5. Revolutionizing Healthcare: Digital Innovations in India’s Health Sector https://pib.gov.in/PressNoteDetails.
aspx?NoteId=151782&ModuleId=3®=3&lang=1
6. Digital Health – India, https://www.statista.com/outlook/hmo/digital-health/india#revenue
7. National Health policy 2017 https://mohfw.gov.in/sites/default/files/9147562941489753121.pdf
8. Catalyzing digital health in India https://www.adlittle.com/jp-en/insights/report/catalyzing-digital-
health india#:~:text=The%20government%27s%20 ambitious%20Ayushman%20Bharat,patient%20
records%20to%20service%20delivery.
9. India’s healthcare budget: A breakdown of spending on public health https://economictimes.indiatimes.
com/news/budget-faqs/indias-healthcare-budget-a-breakdown-of-spending-on-public-health/
articleshow/116499482.cms?from=mdr
10. COMMENTARY: Protecting healthcare privacy: Analysisof data protection developments in India, Paarth
Naithani https://ijme.in/articles/protecting-healthcare-privacy-analysis-of-data-protection-developments-
in-india/?galley=html&utm_medium=email&utm_source=sendpress&utm_campaign
11. THE DIGITAL PERSONAL DATA PROTECTION ACT,2023 https://www.meity.gov.in/writereaddata/files/
Digital%20Personal%20Data%20Protection%20Act%202023.pdf
12. Digital Information Security in Health care Act,(DISHA)https://mohfw.gov.in/newshighlights/comments-draft-
digital-information-security-health-care-actdisha
13. Mind Your Meds and Metrics: Navigating the Indian Health Data Protection Labyrinth https://corporate.
cyrilamarchandblogs.com/2024/06/mind-your-meds-and-metrics-navigating-the-indian-health-data-
protection-labyrinth/
14. Only 16% consumers in India understand the Digital Personal Data Protection (DPDP) Act: PwC India survey
https://www.pwc.in/press-releases/2024/only-16-consumers-in-india-understand-the-digital-personal-
data-protection-dpdp-act-only-9-indian-organisations-report-a-comprehensive-understanding-of-the-act-
pwc-india-survey.html
15. Ministry of Health and Family Welfare https://pib.gov.in/Pressreleaseshare.aspx?PRID=1578929
16. Health Insurance Portability and Accountability Act of1996 Health Insurance Portability and Accountability
Act of 1996 | ASPE
17. Xenon Pharmaceuticals Inc. https://www.xenon-pharma.com/privacy-notice-page/privacy-notice-for-
clinical-trials-north-america/
