Healthcare institutions today manage vast quantities of highly sensitive personal data, medical histories, test results, billing details, and patient identifiers, which constitutes the requirement of a strong system for data privacy in hospitals in this era of digitization. When such data is mismanaged or mishandled, the consequences for patient privacy and trust are severe. Following the enactment of the Digital Personal Data Protection (DPDP) Act, 2023, the Indian healthcare sector is navigating new legal expectations and challenges.
Digital Personal Data Protection Act, 2023: A Brief Overview
The DPDP Act governs the processing of digital personal data within India—including digitized offline data, and even applies to data processed outside India when related to the delivery of goods or services to Indians.
Key healthcare-relevant provisions include:
| Key healthcare-relevant provisions | What it says |
| Explicit, informed consent | Healthcare providers must secure clear consent before collecting, storing, or using health data. |
| Data minimization & purpose limitation | Only the necessary data for a specified purpose can be collected and used. |
| Robust data security measures | Providers must adopt security controls such as encryption, access logs, and audits. |
| Breach notification obligations | Any data breach must be reported promptly to both affected individuals and the Data Protection Board. |
| Data subject rights | Patients can correct or erase personal data, request processing information, and withdraw consent. |
| Penalties for non-compliance | Violations may attract heavy fines—up to ₹250 crore in some cases. |
Indicators of a Worsening Trend (2019–2024)
| Year | Trend in Data Privacy Issues in Healthcare |
| 2019–2020 | Early warnings about health data value & breaches |
| 2021–2022 | Digital healthcare scales up; early major incidents including CoWIN exposures emerging |
| 2023 | Escalated breach costs and attack volumes; major leaks (Star Health, CoWIN) |
| 2024 | Continued rise in cost per breach; highest weekly attack volumes on healthcare |
Recent Real-World Examples (2023–2025)
1. Massive Data Exposure: Redcliffe Labs (Oct 2023)
A security lapse at Noida-based Redcliffe Labs exposed approximately 12.3 million patient records—including test results, scans, and identities, in an unprotected database. This highlights the urgent need for mandated security controls and breach prevention.
2. HealthGenie Exposure (April 2024)
Delhi‐based HealthGenie left an Amazon S3 bucket unsecured, compromising data of around 450,000 patients, including personal and clinical details. The incident underscores risks from inadequate cloud security, even when data is ostensibly private.
3. Star Health, Telegram Leak (2024)
A hacker used Telegram chatbots to leak sensitive data of millions of Star Health’s customers—including medical reports and personal identifiers. This attack exemplifies how data breaches can quickly become public and widely disseminated.
4. Jharkhand AYUSH Portal Breach (Sept 2023)
At least 320,000 individuals’ records, including names, medical diagnoses, login credentials, were compromised via Jharkhand’s AYUSH portal. A clear example of that data security failures in public health platforms can impact patient trust enormously.
5. Delhi Hospital Cyberattacks (June 2025)
Servers at Sant Parmanand and NKS Super Speciality Hospitals were hacked, disrupting access to patient records and forcing manual operations in OPD/IPD systems. An FIR under the IT Act was lodged. This shows how cyber attacks can cripple healthcare delivery—and why prompt breach notification is critical.
6. KillSec Attacks: Apollo Hospital & Others
The ransomware group KillSec conducted phishing campaigns against Apollo Hospital in October 2024 and targeted other healthcare entities, threatening to leak sensitive patient data—especially of high-profile individuals.
DPDP Act: How It Addresses These Gaps
| Issue | DPDP Act Safeguard |
| Inadequate cloud security leading to exposures | Penalizes inadequate security, mandates audits, and critical safeguards. |
| Lack of breach notification | Requires immediate notification to board and affected individuals. |
| Over-collection and reuse of data | Data minimization and purpose limitation restrict excess use. |
| Consent not obtained or misused | Requires explicit, informed consent for processing. |
| Patient rights ignored (e.g., correction, erasure) | Grants patients rights to access, modify, and erase data. |
| Weak implementation across digital platforms | Enforcement through Data Protection Board with penalties. |
Challenges to Implementing the Act in Healthcare
The implementation of the Digital Personal Data Protection Act, 2023 in healthcare faces several structural and practical hurdles. A primary challenge is the low level of awareness among both patients and providers, which may hinder adoption. Many individuals are still unfamiliar with their rights under the Act, while smaller healthcare providers often lack the knowledge or resources to comply with new mandates.
Another major barrier is the high cost of compliance and technical burden, particularly for smaller clinics, diagnostic labs, and rural hospitals. Upgrading systems, training staff, and maintaining secure data environments demand significant investment that many organizations may struggle to afford. This challenge is compounded in emergency care situations, where the requirement of obtaining explicit consent could potentially delay urgent treatment, raising ethical and practical concerns.
Healthcare institutions also face a complex infrastructure overhaul. To meet the Act’s requirements, hospitals must adopt encryption measures, implement logging and auditing mechanisms, upgrade IT systems, and appoint Data Protection Officers (DPOs). For many facilities—especially those outside large metropolitan areas—this represents a steep learning curve and a costly transition. Moreover, there is the risk of inconsistent enforcement across regions and healthcare subsectors, which could create confusion and uneven compliance standards nationwide.
Legal Expert Insights & Wider Reflections
Legal experts note that the Act marks a significant step forward by empowering patients with greater control over their data while imposing clear duties on hospitals and healthcare providers. However, they emphasize that compliance will not be straightforward. Bridging the gap will require capacity-building initiatives, training programs, and government support, especially for smaller players in the healthcare ecosystem.
At the same time, experts argue that the Act cannot succeed without a deeper cultural shift. The demand for accountability and transparency is already strong in the wake of repeated healthcare data breaches, but true change requires hospitals to treat patient privacy as a core institutional value, not just a legal checkbox. By prioritizing trust, transparency, and proactive security, the healthcare sector can move closer to realizing the Act’s intent—ensuring that patients feel safe not only within hospital walls but also in how their most sensitive personal data is handled.
Conclusion
The Digital Personal Data Protection Act, 2023 represents a transformative milestone in safeguarding data privacy in hospitals and strengthening the protection of patient information. By addressing consent, security, breach notification, and patient rights, the Act directly responds to the challenges highlighted by recent high-profile cyberattacks and data leaks in the healthcare sector. However, the real test lies in its implementation. Success will depend on sustained efforts to educate both healthcare providers and patients, comprehensive upgrades to digital infrastructure and internal processes, and consistent enforcement across regions and institutions. Most importantly, it requires embedding a culture of responsibility, where privacy is viewed not merely as a compliance requirement but as a fundamental part of patient care. Only then can India’s healthcare system evolve into a framework that is both technologically advanced and genuinely patient-centric in protecting sensitive health data.
