This Article is Authored by Nikhilesh Wani, Founder, Byteseal
A stolen credit card sells for roughly ₹150 on the dark web. A complete medical record — Aadhaar, insurance ID, diagnosis history, prescriptions — can fetch up to ₹5,000. That price gap is not a coincidence. It is a signal.
India’s healthcare sector is becoming one of the most attractive targets for cybercriminals — not because it is the richest, but because it holds the most permanent and exploitable form of personal data.
The Core Problem: Medical Data Doesn’t Expire
Financial data is replaceable. Medical data isn’t. You can cancel a card. You can freeze an account. But you cannot erase a diagnosis, a mental health record, or a long-term illness from your history.
For attackers, that permanence is leverage. This has fundamentally changed the nature of cyberattacks in healthcare. It is no longer just about stealing and selling data. It is about extortion at scale.
India is no longer dealing with isolated data breaches—it is facing systemic, large-scale exposure of personal information. In 2021 alone, nearly 86 million records were compromised, and by 2023, a single breach reportedly exposed data linked to over 669 million individuals, underscoring the sheer scale of the problem. The healthcare sector, in particular, has emerged as a prime target. The ransomware attack on AIIMS in 2023 is estimated to have impacted around 40 million patient records, while earlier incidents, including breaches at major hospital networks, exposed millions more. This is why, through 2024 and 2025, Indian healthcare and insurance firms have faced some of the highest ransomware demands across sectors.
When Cyberattacks Become Clinical Emergencies
The real risk is not just data exposure. It is an operational collapse. In multiple ransomware incidents across India, hospitals were forced into crisis mode:
- Doctors lost access to patient histories mid-treatment
- Radiology systems became inaccessible
- ICU teams operated without digital records
In some cases, hospitals reverted to paper overnight.
The entry point was rarely sophisticated — typically a phishing email disguised as a lab report or invoice. One compromised login was enough. Malware spread quietly across systems, and days later, entire networks were locked. What makes this more concerning is not just the volume, but the pattern—studies show that hundreds of such incidents have occurred in recent years, with a majority driven by basic security failures rather than sophisticated attacks. The implication is clear: India’s data crisis is no longer about breaches—it is about continuous exposure at scale (Medianama; Reuters; India Today; ResearchGate).
Backups existed in many cases. They just didn’t work — either untested or stored on the same network. This is not a technology failure. It is a basic security failure.
Digital Personal Data Protection Act, 2023, Raises the Stakes
India’s data protection law has removed the luxury of complacency — especially for startups. If you are building in healthtech, insurtech, or any system handling personal health data, here is what actually matters:
- Consent must be explicit
No ambiguity, no pre-ticked boxes. Users must clearly agree on how their data is used. - 72-hour breach reporting is mandatory
Delays are not defensible. If a breach happens, disclosure is time-bound. - Data minimisation is enforceable
If you cannot justify why you are collecting a data point, you should not be collecting it. - Penalties are existential
Fines can reach ₹250 crore. For most startups, that is not survivable.
This is not compliance theatre. It is an enforceable risk.
Startups Are Overexposed — And Underprepared
Most healthtech products today collect more data than they need and protect it less than they should.
The uncomfortable truth: The average breach does not start with a system flaw. It starts with a person.
A receptionist. A claims processor. A nurse.
One phishing email. One password reused. One compromised account.
From there, everything unravels.
What Needs to Change — Immediately
This is not a long-term roadmap. These are immediate corrections:
- Audit your data
Identify every piece of personal information you collect. If it is not essential, remove it. - Encrypt by default
Data should be unreadable without keys — both in storage and in transit. - Reduce access drastically
If more than a handful of people can access your production database, your attack surface is already too large.
More importantly, startups need to rethink authentication itself.
Password-based systems are fundamentally fragile in environments with non-technical users. One compromised credential can bring down an entire organisation.
This is where companies like Byteseal are pushing a shift toward hardware-based authentication — eliminating passwords and storing credentials offline. It removes phishing from the equation entirely, which is where most breaches begin.
Trust Is the Real Product
Healthcare startups often think they are building convenience. In reality, they are handling trust. Patients are sharing deeply personal information with platforms they discovered days ago. The assumption is that this data will be protected — not monetised, leaked, or held hostage. The companies that understand this will build durable businesses. The ones that don’t will learn the hard way: In healthcare, a single breach doesn’t just cost money. It destroys credibility.