wordpress blog stats
Connect with us

Hi, what are you looking for?

Online medical platforms are playing fast and loose, collecting patient data

Digital IDs are being generated and sensitive medical data is being shared with third parties by online health platforms in India

“I had gone to an ENT clinic in Chennai for a routine checkup. At the reception, they collected my personal details at the reception in a ledger. I was not told that it will be uploaded to a cloud application. When I returned home after the check up, I got a text message saying that my details have been uploaded on a private platform and added to its database,” said Chennai-based Ramraj, a 28-year-old employee at a private company.

Ramraj’s account is part of an increasingly-concerning trend of private online medical platforms, in this case Bengaluru-based DocOn Technologies, uploading sensitive details such as health records on their platforms and creating a common health ID without allegedly taking consent of patients. This is also happening irrespective of whether the patient had any interaction with the said platforms prior, during or after their consultation.

The message that Ramraj received from DocOn

Meanwhile, Ramraj faces a dilemma. DocOn Technologies’ privacy policy states that one can request them to remove their medical record. “Firstly no consent was not taken from me. Secondly, to remove the data I still have to provide my email ID to them; which I do not want to,” he said. MediaNama reached out to the co-founder and grievance officer of DocOn Technologies, Nishant Anthwal with specific queries over email. Other than an automated reply which said that our queries had been registered, we have not yet received any response.

This health ID creation gains further importance because the privacy policies of these platforms state that the collected sensitive personal data can be sold or transferred to third parties and affiliates in an “aggregated and non-personally identifiable form”. Coupled with India’s archaic laws that have failed to keep up with technology and in the absence of robust data protection laws, there is lack of accountability of such platforms when it comes to addressing such alleged violations.

Not an one off incident

A while back, Hasgeek co-founder Kiran Jonnalagadda was subjected to a similar situation when he visited a physiotherapist in Bengaluru. Around two to three days after the consultation, Jonnalagadda received a text message from Bengaluru-based Portea Medical welcoming him to their platform and informing that a customer ID had been created wherein he could access his physiotherapy records.

Like Ramraj, neither did Jonnalagadda have any interaction with the online medical platform nor had he provided his consent for creation of the health ID. He took up the matter with the doctor and was told that Portea Medical was being used in the clinic for record keeping.

Advertisement. Scroll to continue reading.

What the doctor keeps for record keeping is not my problem, but when Portea (Medical) provides a customer ID, that is not record keeping; that is Portea linking records across doctors with a common ID, which they should not be doing. So, firstly, they did not have my consent to give me an ID, and they also did not have my consent to link my records across doctors — Kiran Jonnalagadda, HasGeek

We will be deleting the data: Portea Medical CTO

Ramasubramani Ganesan Chief Technical Officer (CTO) said that Portea Medical has taken cognisance of Jonnalagadda’s request to delete his data from the platform. “Our team is working on it. Given the patient is particular that he does not want to share the data with us, we will be removing the data from the system,” Ganesan said.

However, Ganesan justified the creation of the health ID by saying that physiotherapy in the clinic was a service provided by Portea Medical. “So by taking the services, we were just informing how we can reach back to us in case he wants any additional support,” he said.

When asked if there were visible signages at the clinic denoting that the service was being offered by Portea Medical, Ganesan said, “Normally we have Portea banners, and names. But for the past year, due to Covid-19, those banners had been removed, which might have caused the confusion. In regards to this particular case, we need to figure out the details — whether there was a communication issue. But in general, we get consent forms signed, so that patients know that Portea Medical is involved.”

Mishi Choudhary, founder of Software Freedom Law Center (SFLC.in) while criticising such private players said, “It is clear that consent was not given at all let alone freely given. In any other country, such businesses will be heavily fined but if the party responsible for laying down  a framework and enforcing it i.e. the government itself is facilitating health data leakages, citizens are left with no  avenue to take their claims to.”

It is quintessential for a platform or the concerned practitioner who is providing these details to such platform, to obtain an informed consent from the patient whose private information is to be appropriated. Uploading of information would not only be an infringement of the patient’s right to privacy but would also be against the Indian Medical Council’s (Professional Conduct, Etiquette and Ethics) Regulations — Kritika Seth, founding partner of Victoriam Legalis

Have you faced similar issues with data collection without your consent? Do leave us a comment below

Not just health IDs, issues pertaining to medicine deliveries and telemedicine too

A few weeks back, Mumbai resident Chitra Mathur, who works at an NGO, went on Tata 1MG to order a few medicines for herself. The medicine she had to order required a prescription; and she had that required prescription from a doctor. She uploaded it on the  platform and had placed the order for the medicines.

Advertisement. Scroll to continue reading.

However, her order was flagged and she received a call from someone who introduced himself as a doctor. This alleged doctor enquired about her prescription, her ailments, the prescription’s veracity etc , and several other questions which she thought were invasive. She pointed out that neither did she consent to being called, nor was she aware that her prescription (sensitive health details) can be shared with others.

We reached out to Tata 1MG, its co-founder Prashant Tandon, their public relations team with specific queries in this regard. However, we did not receive any response at the time of publication of this report.

Advertisement. Scroll to continue reading.

Sarvesh Mathi, a journalist with MediaNama too had to face a similar situation when he ordered a few prescription drugs on NetMeds for his grandmother. Like Mathur, he too received a call from 1MG questioning the veracity of the prescription and confirming the medicines needed. It was only after providing an explanation that the order was processed.

First of all, orders are “flagged” for a number of reasons which range from legibility, to expiration date, to “product mismatch” where the customer has ordered  an item other than the prescribed item, such as a generic version of the molecule rather than a named brand, to name a few. In any such case, the customer is notified that there is an issue with the prescription and that one of our network doctors will be calling them to get any of these, or other points clarified — NetMeds Escalation Team

Since the prescriptions that Mathi or Mathur upload on their respective platforms can (according to its privacy policies) be shared with third parties, we asked NetMeds and Tata 1MG regarding its data sharing practices. While we did not receive any response from Tata 1MG, this is what NetMeds said.

As for “sharing of data” we make it quite clear that all users of the site and the app are agreeing to our published Privacy Policy which confirms that sensitive data, including personal information, and explicitly, “physical,physiological and mental health conditions” may be shared with third parties. You will find that this Privacy Policy is much like that of most major pharmacy and healthcare provider sites. And finally, no data is shared beyond the country’s borders — NetMeds Escalation Team

Big void when it comes to regulation of online medical platforms: Experts

Mahendra Kumar Bajpai, a Supreme Court advocate, and Honorary Director at the Institute of Medicine Law explained that there is a lack of legal framework in India when it comes to regulating online medical platforms providing telemedicine facilities. The current set of laws are there only to regulate healthcare providers and they are not enough for online medical platforms.

When it comes to telemedicine, we have a set of laws for doctors and three guidelines which have come out for regulating allopathic, homeopathic, ayurvedic doctors. And these guidelines are only for regulating doctors. The regulation goes to the extent of saying that they are not concerned about telemedicine. Although certain provisions of the IT Act are applicable, they are not enough. This gap is being exploited  — Mahendra Kumar Bajpai, a Supreme Court advocate

What Bajpai essentially is saying is that the consultation side of telemedicine, including aspects such as doctor-patient relationship, is regulated under Code of Medical Ethics. However when it comes to platform-related processes such as collection, sharing of data, and so on, there is a huge gap.

Bajpai had also pointed towards the lack of a robust data protection law in the country. In that regard, most privacy policies and terms and condition pages of platforms such as Tata 1MG, NetMeds, Portea Medical etc mention that they share the collected sensitive personal data with third parties after “anonymising” them. However, Mishi Choudhary, SFLC.in founder, was not convinced.

If these companies claim that they are sharing anonymised data, one must ask what categories of data are being shared and how are actual identifiable persons getting intimation or calls. Perhaps what they mean is pseudonymous data and not anonymous. Pseudonymous means data which could be attributed to a natural person by the use of additional information — Mishi Choudhary, SFLC.in founder

What can/should be done, according to experts

Make online medical platforms encrypted: Cybersecurity expert V Anand said that medical data gets leaked in the dark markets quite a lot. He dismissed privacy policies of online medical platforms as “shams” and instead stressed on “owning your encryption” (wherein the data is encrypted and is accessible by a key held by an individual).

Advertisement. Scroll to continue reading.

Compliance to IT Rules 2021 necessary: Utsav Trivedi partner at TAS Law said that these platforms should comply with Information Technology (Intermediary Guidelines and Digital Ethics Code) Rules, 2021. According to the rules —

  • Intermediary must publish its “rules and regulations, privacy policy and user agreement” on its website or mobile application.
  • The intermediary should, at least once a year, inform users if they do not comply with the published rules and regulations, privacy policy or user agreement
  • Intermediary must notify users of any changes to its rules and regulations, privacy policy or user agreement changes at least once a year.

Patients’ rights: According to SFLC, these are some of the rights that patients must have and which should be included in the functioning of online medical platforms

  • Right to be informed: companies must tell individuals what data of theirs is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
  • Right to restrict processing: individuals can request that a company limits the way it uses personal data.
  • Right to object: Individuals should  have the right to challenge certain types of processing, such as direct marketing

Also read

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ