The health data of around 3-4 crore people were in jeopardy when the All India Institute of Medical Sciences in Delhi faced a cyberattack with Rs 200 crore in cryptocurrency being demanded as ransom. This attack was one out of the 1.9 million cyberattacks faced by the healthcare industry in 2022. This raises pertinent questions concerning the protection of health data not only from hackers but also from the government and the corporate world.

Health data include sensitive personal information on ongoing treatments, previous procedures, reproductive health, biometric data, genetic data and so on. While storage of this data can be helpful in maintaining records and in deciding the future course of treatment, there is potential for misuse of the same by way of commercialisation of health data and DNA profiling, among other transgressions.

The Government of India proposed the Digital Information Security in Healthcare Act, 2018 to protect electronic health data of the people and to maintain the medical principle of confidentiality. The Act seeks to enforce the principle of informed consent wherein a patient’s consent has to be taken for data being gathered, stored and the ways in which they may be transmitted. Section 28 of the Act empowers the owner of the data to refuse or withdraw consent at any time. Refusal, however, would not impede the right to receive healthcare. It also entitles the owner to be informed as to which establishments shall use the data and for what purpose. Unfortunately, the Act is yet to be passed.

Another legislation impacting the protection of health data — the digital data protection bill — was tabled in Parliament. The bill was the fourth attempt by the government to legislate a law for data protection. However, it was riddled with weaknesses. The bill failed to provide for a separate category of sensitive personal data, including health data, genetic data and biographic data. The General Data Protection Regulation, the European Union’s regulation on data protection and privacy, makes a distinction between ‘personal data’ and ‘sensitive personal data’ wherein sensitive personal data include special categories of data that need additional security. The bill did not provide for any such distinction; consequently, health data did not have a higher degree of protection. Further, it violated various principles of data protection provided by the OECD and the Justice A.P. Shah Committee in the Puttaswamy judgment of 2018. The bill places no limits on the amount and kind of data that can be collected once the owner gives consent. This means that health data may be used and stored whether or not they are required for a particular activity. This violates the principle of Collection Limitation, which states that limits should be set on the data collected, as well as the Data Quality principle, which states that the data collected should be relevant for the purpose for which they are to be used. The Health Insurance Portability and Accountability Act, the American law on protection and privacy of health data, follows both these principles.

The Indian position on the security of health data of citizens is ambiguous. This is worrying as India’s e-healthcare industry is expected to be worth 10.6 billion dollars by 2025. What is required is a framework to safeguard the sensitive information of citizens and give them complete ownership of their health data.