COVID Data Breach: Nearly 1 in 5 citizens surveyed say they are receiving promotional communication from hospitals/labs where they took the COVID vaccine or got test done

May 28, 2025, New Delhi: As the number of Covid cases are rising, many people who had got tested during previous surges or during the pandemic are reported to be getting calls from various testing labs, urging them to undergo tests if unwell. Several consumers have reported over the last two years the fact that they have been receiving unsolicited messages for getting pathology tests done from labs that they used for a Covid test during 2020-2022. Some others have reported receiving follow-on messages from the hospital where they got the Covid vaccine administered.

Security researchers are alleged to have uncovered a massive data leak within Apollo Hospital, according to a report few months ago by Boomlive.in. The leak, which could potentially have compromised the personal and medical records of lakhs of patients across Apollo’s network, was notified to the Indian Computer Emergency Response Team (CERT-in) and the National Critical Information Infrastructure Protection Centre (NCIIPC) for further investigation. The first security leak was detected in January and second in March, according to information shared with Decode, Boomlive.in states. In this case, the media report states that the leak was detected in time. It is not the first time medical records data have been leaked in India or overseas, placing lakhs of people at all sorts of risk.

Sharing contact information or sourcing information on the diagnosis of patients is also not unknown. In 2023, the CERT-In, the cyber security arm of central government, is reported to have informed Indian Council of Medical Research (ICMR) about the data breach leak in which COVID-19 test details, including names, Aadhaar and passport information, phone numbers and addresses, of 81.5 crore Indians were being advertised on the dark web. In its communication, CERT-In is reported to have furnished ICMR with verification of sample data, which allegedly matches with the actual ICMR data. The data leak of those who registered on the CoWIN portal for COVID-19 vaccination was first reported in June that. Preliminary information had revealed that “a bot on Telegram (messaging app) breached parts” of the health ministry’s CoWin app. The Ministry of Health and Family Welfare had however refuted reports of data theft stating, “all such reports are without any basis and mischievous in nature” as the ministry’s CoWIN portal “is completely safe with adequate safeguards for data privacy”, even as it had ordered probe by CERT-In. In June 2023, reports of the data leak had been ‘substantiated’ with details of several prominent citizens being shared on social media platforms like Twitter to prove the reliability of the news published.

Under the recently released Draft Digital Personal Data Protection Rules, 2025, even if a customer has shared his or her contact details, the retailer/ diagnostic clinic or any other entity must keep it secure. They cannot use it for making spam calls or sending promotion messages unless explicit permission has been granted. However, the fact remains that so far, once a person has used the services of diagnostic clinic, he or she is inundated with spam messages and calls. With the Digital Personal Data Protection (DPDP) Rules, 2025, still to be finalized consumers must bear the harassment or block calls from unwanted numbers. The other options are to approach an adjudicating officer under section 46 of the IT Act to file for compensation or else file a civil suit for breach of privacy or confidence.

With several hundred citizens writing about they getting unsolicited calls and messages from labs and hospitals since 2023, LocalCircles has conducted a national survey to understand the magnitude of Covid test and vaccination related data breach. The survey received over 18,000 responses from citizens located in 301 districts of India. 67% respondents were men while 33% respondents were women. 46% respondents were from tier 1, 29% from tier 2 and 25% respondents were from tier 3, 4 and rural districts.

Misuse of Citizen Data - 18% of citizens say they are receiving promotional communication from 3rd parties/labs/hospitals where they got COVID tests done between 2020-2023

The survey first asked citizens“Have you observed that data shared by you with private entities for getting a COVID test done between 2021-2023 is now being used to sell other health related products and services to you?” The question received 9,381 responses with 18% claiming that they are receiving promotional communication from 3rd parties/labs/ hospitals where they got COVID tests done between 2021-2023. The data shows that while 70% of the respondents had “not received any promotional communications” between 2021-2023; 11% of respondents had received “promotional communications directly from the lab/hospital”; 7% had received promotional communication directly from the lab/ hospital as well as other third parties. The respondents included 12% of those who did not give a clear response and opted for “can’t say”. To sum up, 18% of respondents claim that they are receiving promotional communication from 3rd parties /labs/ hospitals where they got COVID tests done in the last 42 months.

Misuse of Citizen Data - 17% citizens say they are receiving promotional communication from 3rd parties/hospitals where they got COVID vaccine between 2021-2023

The next survey question asked “Have you observed that data shared by you with the private entities for getting a vaccine dose between 2021-2023 is now being used to sell other health related products and services to you?” This question received 8,967 responses with 75% claiming that “they have not received any promotional communications?” However, 9% of the respondents indicated that promotional communications have been received directly from the hospital; another 8% indicated that apart from promotional communications from the hospital they have been receiving communication for third parties, while another 8% of the respondents gave no clear response and opted for “can’t say”. Overall, 17% of respondents indicated that they are receiving promotional communication from hospitals/labs in the last 42 months from labs / diagnostic centers / hospitals where they got COVID vaccine and from 3rd parties.

In summary, based on the survey findings, it is safe to conclude that data of some citizens have been compromised by hospitals/ labs while compiling patient data during the time of COVID test or administering the vaccine or booster dose. Nearly 1 in 5 respondents have indicated that they have been getting promotional calls or messages from the hospitals or labs and in less than 10% cases from third parties also. This unethical practice appears to be clear misuse of information. The government needs to not only protect citizens’ data given to its agencies with specific purpose but also ensure that private entities also safeguard the same and not use it for any commercial purpose themselves or through third parties as made clear through the survey. Hopefully, DPDP Rules will soon plug this misuse of citizens’ data.

Survey Demographics

The survey received over 18,000 responses from citizens located in 301 districts of India. 67% respondents were men while 33% respondents were women. 46% respondents were from tier 1, 29% from tier 2 and 25% respondents were from tier 3, 4 and rural districts. The survey was conducted via LocalCircles platform, and all participants were validated citizens who had to be registered with LocalCircles to participate in this survey.