In the last week of December 2021, Delhi-based Sanchita Gupta (name changed) walked into a private testing clinic to get some routine pregnancy-related scans. Gupta was only a few weeks pregnant. The lab told her everything was fine, asking her to get a second set of scans in a couple of weeks.
Meanwhile, Gupta got a call from a stem cell collection company, congratulating her on the upcoming baby. Shocked, Gupta asked how he got access to her information, to which the man “mumbled” something about getting data off Google.
The incident highlights a significant issue in how medical data is treated by labs, hospitals and clinics—the fact that they have been rampantly sharing customer data with third parties without consent. Multiple industry experts, chief information officers of hospitals and privacy advocates told Mint that the lack of regulations makes the problem even more severe.
“Big hospitals have some controls in place. However, most diagnostic centres, health clinics and hospitals share data rampantly based on convenience,” said Sowmya Vedarth, Director, Cyber Risk Services at Deloitte India.
Vedarth said privacy by design as a concept is lacking. Not just small clinics, privacy advocates said sharing of data is very common even among bigger healthcare chains.
Rohin Garg, Associate Policy Counsel, Internet Freedom Foundation (IFF) said, “Hospitals inevitably end up collecting a lot of data, some of it is perhaps needed, but a lot of it is not.”
According to a CIO of a large hospital, who requested anonymity, a lot of tests that are done in hospitals and labs are nothing more than a commodity. "This makes it very easy for those medical entities that are in pursuit to churn out monetary gains out of it. For instance, if a stem cell banking company approaches a non-branded lab to furnish pregnant women’s data, they will sell the data to make a quick buck,” the CIO added.
According to an industry executive, almost 60-70% of midsize and large hospitals don't have proper electronic medical record (EMR) systems and have "no knowledge of, or a system to trace, who is logged into the system". Which makes it very difficult to actually find out who is taking data out.
Many hospitals and clinics do not have a clear data deletion and retention policy either. “They are also retaining the data continuously. So, for instance, if you take a test today you will get a reminder from the same lab three months later, or more, which means they are retaining the data, and have no deletion policy,” said N.S. Nappinai, a Supreme Court advocate and founder of Cyber Saathi Foundation, a cyber-safety organization.
Vedarth said, “In many diagnostics centres, reports are just lying around near the reception. There is no clarity on how much data a person at reception has access to and how much data a doctor has access to.”
But experts say it happens in a disorganised manner in India, unlike countries such as the US, where there is a syndicated black market for health data. Healthcare data can fetch up to $250 per record on the black market, compared to the next highest valued record of $5.40 for payment cards, as per cybersecurity firm Trustwave.
The growing application of artificial intelligence (AI) in healthcare has also made patient data a valuable commodity. There are so many AI startups that actually need data to train and test the accuracy of their AI models. When they get this data from healthcare institutions, they also need patient consent but actually don’t have this consent.
Experts say the lack of data protection laws and the limitation of the health data management policy (HDMP) has allowed the menace to grow. Clause 29.1 of the HDMP under the National Digital Health Mission (NDHM) says that data fiduciaries can make anonymised data available for health and clinical research, academic research and policymaking. IFF's Garg warned that under those provisions, these clinics can send your data to whatever private company they want, whether they be insurance, medical services or pharmaceutical companies.
“In case one finds out that the data has not been masked, legal actions can be taken against the health authorities concerned. However, many times, it is difficult to trace the source of the breach,” said Shuvankar Pramanick, Senior Director & DCIO Information Technology, Digital Transformation, Manipal Health Enterprises.
Despite loopholes, existing laws have room for liability. For instance, Nappinai says under the current law, health data is considered sensitive personal data. What Article 43A of the IT Act “effectively amounts to" is that "a company cannot be negligent in the process of handling health data. And if they are, then they are liable”.