Home / Companies / Indian hospitals, clinics, labs selling data without consent

In the last week of December, Delhi-based Sanchita Gupta (name changed) got routine pregnancy-related scans done from a private clinic. She was told everything was fine, and asked to get a second set of scans done within a couple of weeks. Later, Gupta got a call from a stem cell bank, congratulating her on the baby. Gupta was shocked how they had got access to her medical data. The caller said he had sourced it from Google.

The incident highlights how labs, hospitals and clinics are rampantly sharing customer medical data with third parties without their consent. In fact, industry experts, chief information officers (CIOs) of hospitals and privacy advocates said lack of regulation makes the problem even more severe.

“Big hospitals have some controls in place. However, most diagnostic centres, health clinics and hospitals share data rampantly based on convenience," said Sowmya Vedarth, director, cyber risk services, Deloitte India.

And, not just small clinics, even healthcare chains share medical data. “Hospitals inevitably end up collecting a lot of data, some of it is needed, but a lot of it is not," said Rohin Garg, associate policy counsel, Internet Freedom Foundation.

According to the CIO of a large hospital, who requested anonymity, many tests done at hospitals and labs are nothing more than a commodity. “This makes it very easy for medical entities in pursuit of making money out of it. For instance, if a stem cell bank approaches a small lab to furnish pregnant women’s data, they will sell the data to make a quick buck."

According to an industry executive, 60-70% of midsize and large hospitals don’t have proper electronic medical record systems and have “no knowledge of, or a system to trace, who is logged into the system". “This makes it very difficult to actually find out who is taking data out," he said on the condition of anonymity. Many hospitals and clinics also lack clear policies on either deleting or retaining data. “For instance, if you take a test today, you will get a reminder from the same lab three months or more later, which means they are retaining the data, and have no deletion policy," N.S. Nappinai, a Supreme Court advocate and founder of Cyber Saathi Foundation, said.

“At diagnostics centres, reports are also found near the reception area and there is no clarity on how much data a person at the reception has access to and how much data a doctor has access to," Vedarth said.

However, in India, sharing of medical data is not an organized racket, unlike, say, in the US, where there is a syndicated black market for health data. Healthcare data can fetch up to $250 per record in the black market, compared with the next highest valued record of $5.40 for credit or debit cards, as per cybersecurity firm Trustwave.

The growing application of artificial intelligence (AI) in healthcare has also made patient data a valuable commodity. There are many startups that need actual data to train and test the accuracy of their AI models. To get such data from healthcare institutions, they should ideally seek patient consent but they usually do not.

Lack of data protection laws and the limitation of the health data management policy (HDMP) have allowed the menace to grow. Clause 29.1 of the HDMP under the National Digital Health Mission says data fiduciaries can make anonymized data available for health and clinical research, policymaking, and academic research.

“In case one finds out that the data has not been masked, legal action can be taken against health authorities concerned. However, it is difficult to trace the source of the breach," Shuvankar Pramanick, senior director and deputy central intelligence officer, information technology, digital transformation, Manipal Health Enterprises, said.

However, despite the loopholes, existing laws have some room for liability. Nappinai said health data is considered sensitive personal data. What Article 43A of the IT Act “effectively amounts to" is that “a company cannot be negligent in the process of handling health data, and if they are, then they are liable".

abhijit.ahaskar@livemint.com

Catch all the Corporate news and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.
More Less

Recommended For You

Trending Stocks

×
Get alerts on WhatsApp
Set Preferences My ReadsWatchlistFeedbackRedeem a Gift CardLogout