According to an industry executive, 60-70% of midsize and large hospitals don’t have proper electronic medical record systems and have “no knowledge of, or a system to trace, who is logged into the system". “This makes it very difficult to actually find out who is taking data out," he said on the condition of anonymity. Many hospitals and clinics also lack clear policies on either deleting or retaining data. “For instance, if you take a test today, you will get a reminder from the same lab three months or more later, which means they are retaining the data, and have no deletion policy," N.S. Nappinai, a Supreme Court advocate and founder of Cyber Saathi Foundation, said.

