Libertatem Magazine

Breach or Betrayal: Analyzing the Legal Framework on India’s Biggest Healthcare Data Leak

Contents of this Page

It is alarming that the personal data of around 81.5 crore Indian citizens, a more than fifty percent of the population got leaked from the Indian Centre of Medical Research (ICMR) terming it as the biggest data breach in India so far. A US-based cybersecurity analyst firm Resecurity discovered the breach where personally identifiable information like Aadhar, and passport details are being sold on the dark web.[1]

The Scale of the ICMR Data Breach

The gravity of the situation is that the Aadhar and passport details of the citizens collected during Covid-19 testing period, could also include data of children, person with disability and other vulnerable sections of our society. Our Aadhar details are linked to our bank account, PAN number, passport, income tax, mobile SIM card, election cards and every imaginable detail and social welfare scheme offered by the government. In today’s age, personal information can easily be weaponised. Given the volume of the data, which is breached, most of the population remains aloof of the fact that their own personal data is being sold on the dark web. It must be alarming enough to imagine that this sensitive data could belong to any of us, our family / loved ones, our friends, or collegues.

ICMR data leak is the biggest and the most serious incident, but it is not the first one. Just within the healthcare sector, the AIIMS ransomware attack,[2] the breach of the COWIN platform[3] as well as the data leak from the Aarogya Setu app[4] are a few of the notable examples. Notably, National Informatics Centre (NIC) had developed the “RT-PCR” mobile app for ICMR, this Mobile App’s ‘Privacy Policy’ under ‘Security’ clause stated that “… But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable and we cannot guarantee its absolute security”.[5]

We boast of our digital public infrastructure, but data protection and cybersecurity evidently remain vulnerable. There is a complete lack of accountability and transparency in such situations. Despite privacy being recognised as a fundamental right under Article 21 of the constitution, the rights of those who data got leaked are still not protected under the law. This article is an attempt to identify legal recourse for the victims of a data breaches and hold the one in control, as responsible and accountable for its laxity in keeping our data safe and secure.

Digital Personal Data Protection (DPDP) Act, 2023

Notably, on August 11, 2023, the Digital Personal Data Protection (DPDP) Act, 2023, was notified, but its provisions are not yet enforceable. DPDP is meant to protect the digital personal data and takes an individual-centric approach on security. For safeguarding healthcare related data, a draft of the Digital Information Security in Healthcare Act (DISHA) 2018 was opened to public for comments on March 21, 2018, but no progress has been made since then. DISHA is an act which caters specifically to data privacy in the healthcare sector and could prove to be of great value and impact in protecting the health care data of the citizen if it was implemented. Currently, the law in force for protecting personal and sensitive data is the Information Technology (IT) Act, 2000, which also focus on information / cyber security, cyber-crimes, provides rules for data protection, including compliances, etc.

DPDP Act, 2023 Act is a significant landmark in India’s data protection regime. It defines personal data as any data about an individual who can to be identified by or in relation to such data.[6] The onus to protect the data is on what it calls a ‘data fiduciary’, i.e., a person responsible for determining the purpose and means of processing data.[7] Due to general applicability and an elaborative definitions, government bodies like the ICMR come within the ambit of DPDP. DPDP gives utmost importance to obtain the consent of the individual and prescribes various obligations for secure and protect data as well the interest of the individual. In the event of a breach, it is mandatory for a data fiduciary to notify the person whose personal data has been breached.[8] While there is no provision for compensation to an individual, but the laws prescribe heavy penalties (maximum of INR. 250 crore) under Section 33 for various non-compliances.

Though DPDP Act is notified but unfortunately DISHA draft lies unnoticed despite being the need of the hour. If implemented, this could most effectively secure individual’s rights and provide an effective remedy to the individual affected through compensation. The approach that DISHA took towards securing the digital health care data and rights of the individual can also be partly achieved under DPDP Act or IT Act, but a comprehensive data protection framework for the health care sector is the need of the hour.

Digital Information Security in Healthcare Act (DISHA) 2018

Notably, DISHA aimed to protect Digital Healthcare Data of an individual which refers to digitally stored records of one’s visits to a clinical establishment, general health records, tests conducted as well as information of any organs donated[9]. It applies to clinical establishments which include all healthcare institutions ranging from hospitals, maternity homes to any institution offering diagnosis, treatment, or cure for an illness.[10] Government research bodies like the ICMR would be covered under DISHA.

What sets DISHA apart is its approach to securing individual rights in the context of data protection. Section 3(1)(j) defines the individual whose health data is being created and processed as the owner of such data. This helps realise the rights of the individual better by clearly demarcating that ownership of any information in the healthcare sector rests with the person concerned and the clinical establishments are only carrying that information for a specific time and purpose, i.e., only have custody over such data, leading to right to privacy, confidentiality and security.

As a result of granting ownership of the data to the individual, DISHA requires a clinical establishment which fails to fulfil its obligation of keeping the owner’s data secure to pay compensation to the owner.[11] Further, penalties including fines and imprisonment are also provided for in cases of data breach and data theft. It also mandates notice to the owner as soon as a breach occurs.[12] Thus, DISHA goes one step ahead and secures compensation to victims personally.

Existing Legislation and Its Limitations

This is all about laws which are not yet in force. The existing legislation does not provide for any remedy for victims of a data breaches. The IT Act is focused more on information than data specifically. It provides for compensation to individuals under Section 43A which only applies to ‘body corporates’ which is limited to private companies. In its current form, this provision does not include government bodies like the ICMR. Further, even the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI rules) only apply to body corporates.

The Act also sets up Indian Computer Emergency Response Team (CERT-In) for forecasting cyber incidents and managing them.[13] CERT-In I clearly not fulfilling its functions as the news of every breach always comes from private analysts. No official communication of immediate response has ever come from CERT-In in time to tackle the incident. It is quite evident that the IT Act is not equipped to deal with data protection and fails to secure rights of an individual against any data processor, regardless of its public or private nature.

Governmental Lacuna and Insufficiency of Laws

The insufficiency of current laws and failure of the government to bring into force the required laws are a serious lacuna. This essentially means that victims of such a serious offence are left without any remedy. They are not even entitled to a bare minimum compensation under the law for a breach which connects to every aspect of their life as well as the lives of their loved ones. Our data is left exposed, and victims have no recourse or even knowledge to such recourse.

Our Aadhar details have woven into any details of our lives related to our identity, the rampant healthcare data breaches paint a harrowing picture. The very essence of our personality is exposed through such incidents. Shockingly, the victims have no remedy under the current legal system which leaves them stranded in the aftermath of governmental irresponsibility. Imagining one’s own identity on sale on the dark web is a violation beyond measure. The same identity which is worth millions on the dark web is not worth anything in law since no compensation can be secured for its breach.

The Urgent Need for Change

A change is much needed, and this is not just a demand but the need for securing rights, maintaining transparency, and holding the one in-charge accountable. The victims of a breach deserve more than a mere apology, they need to be duly compensated. We all need a future where our data is safe and secure, and our fundamental rights are upheld with a strong vigil.

**The views expressed are solely those of the author and should not be attributed to the author’s firm or its clients, or any other organization.


[1] https://www.resecurity.com/blog/article/pii-belonging-to-indian-citizens-including-their-aadhaar-ids-offered-for-sale-on-the-dark-web?s=08 and https://economictimes.indiatimes.com/tech/technology/aadhar-data-leak-personal-data-of-81-5-crore-indians-on-sale-on-dark-web-report/articleshow/104856898.cms

[2] https://indianexpress.com/article/cities/delhi/aiims-ransomware-attack-services-hit-8285901/

[3] https://www.thehindu.com/news/national/health-ministry-responds-to-massive-cowin-data-breach/article66960250.ece

[4] https://www.business-standard.com/article/technology/hacker-flags-security-breach-in-aarogya-setu-app-govt-quashes-claims-120050600325_1.html

[5] https://covid19cc.nic.in/icmr/PrivacyPolicy_RTPCR.htm

[6] Section 2(t), DPDP Act, 2023.

[7] Section 2(i), DPDP Act, 2023.

[8] Section 8, DPDP Act, 2023.

[9] Section 3(1)(e), DISHA, 2018.

[10] Section 3(1)(i), DISHA, 2018.

[11] Section 37, DISHA, 2018.

[12] Section 21(2)(d), DISHA, 2018.

[13] Section 70B, IT Act, 2000.

About the Author