The CoWIN app data leak has once again brought in focus the data protection protocols in India – or the lack of it. The incident serves as a wake-up call for the government and technology developers in the country 

With health data increasingly being shared with providers in this interconnected world, healthcare privacy has become a critical global concern. As countries strive to provide quality healthcare while protecting patients’ confidentiality, variations in healthcare privacy regulations and cultural contexts create a complex landscape.  

India’s ambitious Covid-19 vaccination campaign relied heavily on the CoWIN or Covid Vaccine Intelligence Network app, a digital platform designed to streamline the registration and distribution of vaccines.

Launched in early 2021, the CoWIN app played a pivotal role in India’s vaccination campaign, facilitating online registration, appointment scheduling, and vaccination certificates. The app was aimed at streamlining the vaccination process, providing real-time data on vaccine availability, and ensuring equitable distribution across the country’s vast population.

However, the reports on data leaks and privacy breaches linked to the CoWIN app have raised privacy concerns and worries around the security of sensitive personal information. 

The breach – which allegedly involved a third-party website that was able to access and display vaccination data of individuals registered with the CoWIN app – made the personal data of lakhs of Indians susceptible to misuse. This data included names, phone numbers, Aadhaar number, Passport details and vaccination status.

Such breaches not only compromise individuals’ privacy but also erode public trust, potentially hampering vaccination efforts and undermining confidence in digital public infrastructure. 

Addressing data privacy concerns

While the CoWIN app includes some privacy features, such as one-time passwords for authentication, the incident underscores the importance of regular security audits, vulnerability assessments, and data encryption protocols. Strengthened privacy and access controls can help prevent unauthorised access and potential data leaks.

While the data breach highlights the need for a comprehensive approach to data privacy in healthcare systems, especially in times of crisis, it also underlines that privacy must be prioritised from the outset. Privacy-by-design principles should be embedded in the development process to ensure robust security measures and privacy safeguards.

Transparency and open communication from the governments and health authorities are also crucial. There must be clear information about the data collected, purpose of its use, and security measures in place to safeguard them. Accessible privacy policies should be provided to users, empowering them with information about how their data is handled and protected. 

Lastly, regular monitoring and audits are essential to identify and address vulnerabilities promptly. Potential security gaps can also be identified through external audits, following which proactive measures can be taken to mitigate risks and ensure compliance. 

Need to rebuild trust, strengthen privacy 

The CoWIN app data leak jeopardises the future adoption of digital health solutions. Thus, it is crucial that public trust be rebuilt. The government must demonstrate its commitment to data privacy by taking swift action against those responsible for the breach and implementing stringent security measures. 

Additionally, efforts should be made to raise awareness among the public regarding data privacy, security practices, and their rights concerning the use of their personal information. This transparency, accountability, and open dialogue between stakeholders will play a vital role in rebuilding trust and ensuring the integrity of digital healthcare systems.  

However, India’s struggle in the adaptation of privacy laws is evident from the fact that a Personal Data Protection Bill is still in the drafting phase. The bill seeks to establish comprehensive data protection standards, including for healthcare data. 

It should be the imperative of the Indian government to reassess and rebuild healthcare data laws in the country in tandem with global practices. 

Europe Union: Control over personal data, need for explicit consent 

Europe has been at the forefront of healthcare privacy regulations, with the European Union’s implementation of the General Data Protection Regulation in 2018. The GDPR establishes comprehensive guidelines for the collection, use, and storage of personal data, including healthcare information. It grants individuals control over their data, mandates explicit consent for processing sensitive information, and enforces strict penalties for data breaches. 

Germany and France, among a few other countries, have further bolstered privacy protections through their national legislation. Germany's Federal Data Protection Act extends the principles of the GDPR, emphasising the importance of data security and granting patients greater control over their health information. Similarly, France’s Digital Republic Act ensures that individuals have the right to access and control their healthcare data.  

United States: Set standards for data security, sharing and safeguards

The United States takes a nuanced approach to healthcare privacy laws, with a system characterised by a combination of federal and state regulations. The Health Insurance Portability and Accountability Act, a federal law enacted in 1996, remains a cornerstone of patient privacy in the US. It provides individuals with rights to their health information, establishes standards for data security, and requires healthcare organisations to implement safeguards to protect patient privacy. 

Besides the HIPAA, some states such as California have additional legislation to enhance privacy protections. The California Consumer Privacy Act grants individuals the right to know what personal data is collected, shared, or sold and allows them to opt-out of data sharing. 

In Asia, Japan and South Korea lead with comprehensive frameworks

Most Asian countries are yet to establish stringent health privacy laws. The privacy laws here are shaped by diverse cultural and legal contexts. However, Japan and South Korea lead the front among the Asian countries with comprehensive data protection frameworks. Japan’s Act on the Protection of Personal Information outlines principles for the collection, use, and disclosure of personal data, including healthcare information. South Korea’s Personal Information Protection Act similarly emphasises the importance of informed consent and safeguards for personal data. 

Cross-border data transfers, need for collaborations 

While each region has its unique approach to healthcare privacy laws, collaborations are essential to address the complexities of data sharing and privacy in this highly globalised world. International bodies such as the World Health Organization and the International Conference of Data Protection and Privacy Commissioners work to harmonise privacy standards, encourage knowledge exchange, and promote best practices across borders. 

Efforts are underway to facilitate secure cross-border data transfers, such as the EU-US Privacy Shield and the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System. These initiatives aim to strike a balance between facilitating global data flows and ensuring robust privacy protections. It especially stands vital as countries embrace technology to streamline vaccination drives and improve healthcare delivery in the post-Covid world. 

With implementation of stringent privacy controls, transparency, and promotion of public awareness, governments can bolster the trust and integrity of digital health initiatives. 

Healthcare privacy laws around the world reflect the unique cultural, legal, and technological landscapes of each region. From Europe’s stringent data protection regulations to the varying degrees of rigour across the US states, and Asia’s evolving frameworks, safeguarding patient information remains a common goal. 

As healthcare systems become increasingly digitised and global, collaboration and harmonisation of privacy standards will play a crucial role in protecting patients’ privacy, fostering innovation, and ensuring trust in the healthcare ecosystem.

Rohan Bir Singh is a research fellow at the Harvard Medical School, USA and senior visiting lecturer at the University of Adelaide, Australia.