Privacy is paramount in healthcare, forming the bedrock of ethical, legal, and patient-centric care. It shields the most intimate aspects of one’s life – health and medical history. Patient trust flourishes when they believe their data is secure, fostering open communication with healthcare providers, promoting timely care-seeking, and enhancing adherence to treatment plans for better health outcomes.

Healthcare organizations worldwide are obligated to adhere to legal frameworks like HIPAA in the United States, imposing strict privacy standards. Non-compliance carries hefty fines and legal repercussions, underscoring the moral duty of prioritizing patient welfare.

Beyond ethics and law, patient privacy safeguards data integrity and security, preventing unauthorized access, data breaches, identity theft, and fraud. Overall, privacy in healthcare preserves trust, ensures ethical conduct, and secures personal and medical data, fundamental to the patient-provider relationship and quality care.

DPDP Act: A New Era

In an age marked by rapid technological progress, the preservation of personal data has emerged as a topmost priority. The enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) stands as a pivotal achievement in the quest to protect individual privacy in a age where data is considered as the “new gold”. This new legal framework carries profound implications, especially within the healthcare sector, where the management of confidential patient data holds unparalleled significance. With the escalating prevalence of data breaches and growing apprehensions regarding privacy, the DPDPA sets out to shield sensitive information within a wide array of sectors, healthcare included.

The following will be some of the effects the Act will have on the healthcare sector-

A. Increased Patient Trust and Confidence

The DPDP Act 2023 is a significant step forward for data privacy in the healthcare industry. By giving patients more control over their personal health data and requiring healthcare providers to be more transparent, the Act helps to build trust between patients and providers. One of the most important ways in which the Act does this is by requiring healthcare providers to obtain explicit consent before collecting, processing, or sharing any personal health information. This gives patients the power to choose who has access to their data and how it is used. The Act also gives patients the right to access, correct, rectify, and erase their personal health data. This allows patients to review their data, make changes if necessary, and request that their data be deleted. This gives patients a sense of control over their data and helps them to feel more confident in their healthcare providers. Thus, the DPDP Act 2023 assists the patients and their families to understand their rights and to make informed choices about their data.

B. Improved Data Security and Privacy

The DPDP Act 2023 imposes strict data security and privacy requirements on healthcare providers. This will help to protect patient data from unauthorized access, use, or disclosure. Healthcare providers will be required to implement appropriate security measures, such as encryption and access controls, to safeguard patient data.

C. Inter-Country Transfer of Data

In a globally interconnected healthcare landscape, patient data frequently moves across borders for consultations, expert opinions, and specialized treatments. The aspects of the Act related to international data transfers hold the potential to influence and enhance global healthcare collaborations and medical tourism. Striking a balance between facilitating smooth data exchange and upholding the Act’s robust data protection measures will be a pivotal concern for healthcare institutions.

D. Enhanced Compliance Requirements

The healthcare industry could face difficulties in adjusting to the rigorous compliance standards. To meet these requirements, healthcare providers and organizations will need to make significant investments in strong data management systems, encryption technologies, and cybersecurity measures. These investments are crucial not only for preventing data breaches but also for ensuring full compliance with regulations.

E. Facilitates Innovation and Collaboration

The DPDP Act 2023 will create new opportunities for innovation and collaboration in the healthcare industry. By facilitating the use of personal health data for research, public health, and emergency response, the Act will accelerate the development of new treatments and cures. It will also enable healthcare providers to better coordinate care and improve patient outcomes. However, these academic pursuits can be undertaken only when they do not violate the right to privacy enshrined within the Act.


In conclusion, the Digital Personal Data Protection Act, 2023 (DPDPA), marks a significant stride towards safeguarding individual privacy, particularly within the healthcare sector. Its impact is multi-faceted, enhancing patient trust, fortifying data security, fostering international collaborations, and promoting innovation. However, it demands rigorous compliance efforts and investments in data management and cybersecurity. Embracing the DPDPA is pivotal for balancing privacy and progress, ensuring that healthcare remains a trusted, secure, and innovative realm where patients’ well-being takes precedence in the digital age.

Major Privacy Updates of the Week

Twitter’s (X) 2018 Breach under the lens of the SEC

The Securities and Exchange Commission is investigating Twitter’s (now X) 2018 security issue where a bug exposed user email addresses during password resets. The probe focuses on whether the company properly informed shareholders and implemented safeguards. Former head of security, Peiter Zatko, filed a whistleblower complaint accusing X of grave security deficiencies and violating a 2011 FTC agreement. In 2022, Twitter settled a $150 million FTC charge for misusing user data. However, no X executives have been accused of wrongdoing, and the SEC’s investigation status remains uncertain. Read More.

Genetic data of 1 million users posted on the dark web

Hackers have acquired a vast list of individuals with Ashkenazi Jewish ancestry, obtained from genetic testing service 23andMe, and shared it online. The database, titled “Ashkenazi DNA Data of Celebrities,” contains details of 999,999 people who used the service, including names, gender, and ancestral origins. 23andMe claim that most of the people on it aren’t famous, and it appears to have been sorted to only include people with Ashkenazi heritage. 23andMe, treating the breach as authentic, suspects that hackers obtained users’ passwords from other leaked sources, exploiting the service’s access to genetic data. However, the origin of the list’s compilation remains unclear. Read More.

German competition regulator rules against Google's data processing

Alphabet Inc., Google’s parent company, is enhancing user control over data processing. This initiative is a direct result of a ruling by Germany’s Federal Cartel Office, the Bundeskartellamt, which mandated that Alphabet must ensure that Google users can decide how their personal data is utilized across the company’s various services. Notably the enhancement of user control aligns with the European Union’s Digital Markets Act. The ruling aims to limit how much data Google can collect by requiring the company to get explicit consent before using the information. The competition regulator previously stated users are not given sufficient choice concerning processing. Read More.

California’s Delete Act allows users to Delete their Personal Data

California Governor Gavin Newsom signed the new Delete Act into law, allowing Californians to request data brokers to delete or prevent the sale of their personal data with a single request, simplifying a previously arduous process of dealing with over 500 data brokers. The California Privacy Protection Agency (CPPA) is scheduled to establish the request process by January 1, 2026. Under this new Act, data brokers must adhere to 45-day request cycles starting August 1, 2026, allowing data collection but demanding deletion afterward. The law applies to companies earning over $25 million and substantially involved in personal data sales, including various business arrangements. Read More.

Spanish Airline, Air Europa, hit by credit card system breach

Spanish airline Air Europa experienced a cyberattack targeting its online payment system, exposing certain customers’ credit card details. The airline promptly notified affected customers and relevant financial institutions. However, the exact number of affected customers and the financial repercussions remain undisclosed. Customers were advised to cancel and replace their payment cards to prevent potential misuse. The Spanish consumer association, Organisation of Consumers and Users, urged email recipients to follow Air Europa’s guidance and requested the national data protection agency to investigate the timing of the cyberattack, as unauthorized use of exposed cards may predate the company’s alert. Read More.

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay


Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro