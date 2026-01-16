'Whoever Controls Our Health Data, Will Set Medicare And Public Policy Rules For The Future'
Experts warn AI platforms are quietly seizing control of India's sensitive health and financial data via routine app permissions, threatening privacy, profiling, and national sovereignty.
Published : January 16, 2026 at 5:48 PM IST
By Surabhi Gupta
New Delhi: Every day, millions of Indians give away intimate details of their health, location and finances in a single click, often without realising that this silent data surrender could expose them to profiling, misuse and long-term privacy risks. As artificial intelligence (AI) platforms expand rapidly into healthcare and financial services, cybersecurity experts, clinicians and legal scholars are raising alarms over how Indian users unknowingly surrender vast amounts of sensitive personal data at the very first step, the sign-up screen.
What appears to be routine app permissions, they warn, is quietly transforming health and financial data into a strategic asset controlled by global technology platforms, often beyond India’s legal and regulatory reach.
From fitness trackers and patient health record apps, to AI-driven diagnostic tools and insurance platforms, data collection today goes far beyond what users consciously intend to share. Analysts say this shift carries deep implications, not just for individual privacy, but for India’s data sovereignty, public health policy and economic security.
“At the sign-up stage, users often surrender far more than they realise,” Amit Dubey, an expert in cyber investigations, told ETV Bharat. “Precise location history, contact graphs, device identifiers, health metadata and behavioural patterns are routinely handed over. This is not consent in the informed sense; it is consent by design fatigue,” he added.
From Data Collection To Behavioural Profiling
Dubey said global investigations have repeatedly shown how data collected for “service improvement” is later repurposed. “Location and health-adjacent data has been used for targeted advertising, insurance risk modelling and even credit profiling through third-party data brokers,” he said.
“The danger is not just collection, but aggregation,” he warned. “Even anonymised datasets can be re-identified when combined with location, device and activity patterns. The industry calls this ‘insight generation’; regulators should call it behavioural exploitation.”
Many experts say this indirect use of data is particularly dangerous, because users never explicitly give consent to these outcomes, even though algorithmic decisions can affect access to loans, insurance premiums, employment and healthcare.
Pegasus And The Myth Of Digital Safety
Dubey also cautioned against assuming that any digital ecosystem is immune to surveillance, pointing to the Pegasus spyware controversy.
“The Pegasus episode clearly proved that no digital ecosystem, not even one marketed as privacy-first, is immune,” he said. “Encryption protects data in transit, but exploitation happens at the operating system and zero-day level. Absolute digital safety is a myth in a world of nation-state cyber warfare.”
According to experts, this reality makes the concentration of health and financial data within a few AI-driven platforms especially risky.
Who Really Owns Our Health Data?
While patients are legally recognised as owners of their health data, experts say control often shifts, the moment that data enters digital systems.
“Legally, patients own their health data, but technically and operationally, control shifts to hospitals, cloud providers and AI platforms, the moment this data is processed,” Dubey said. “When Indian health data flows through global AI systems, it effectively enters foreign legal jurisdictions. Ownership becomes theoretical, while access and influence are practical.”
He described this as the core sovereignty risk in health AI, warning that India could lose meaningful oversight over how its population-level clinical intelligence is used.
Breaches Underline Real-World Risks
Recent data breaches in India’s healthcare ecosystem have underscored these warnings. In 2025, Star Health Insurance suffered a massive breach, exposing 7.24 terabytes of personal and medical data of more than 31 million customers. A hacker claiming responsibility reportedly released the data and issued threats to company executives.
“This exposed highly sensitive medical records tied directly to individuals,” Dubey said. “It showed how easily healthcare data can be stolen, circulated on underground forums and misused.”
In another case, the complete database of MD INDIA, a major health insurance TPA (third-party administrator), was leaked online, exposing policy numbers, contact details and financial data.
“Together, information on health and finance is a goldmine for insurance fraud, identity theft and targeted social engineering,” Dubey said, adding that aggregators and TPAs have become high-value targets.
Healthcare AI And Sovereignty Concerns
The debate has intensified with the launch of new global healthcare AI platforms. Dr Suvrankar Datta, an AI researcher and radiologist with clinical training from AIIMS Delhi, warned that India risks handing over its healthcare sovereignty to foreign platforms.
“OpenAI has initiated a direct play to become the operating system for global healthcare data,” Datta said. “This is not just about replacing doctors. It is about becoming the default interface, where your health data, wearables, lab reports, clinical notes and fitness logs get stored, organised, interpreted and ultimately monetised.”
India, he noted, represents an unparalleled clinical dataset. “We have over a billion people and disease patterns the world doesn’t see elsewhere, TB, rheumatic heart disease, tropical infections, cancers that present differently,” he said. “This is a treasure trove of clinical information.”
Datta warned that whoever controls the layer that integrates this data will control diagnostics, healthcare policy and population health. “If Indian data flows only into foreign platforms, we are reduced to data suppliers, not data owners, and certainly not builders,” he said.
Locked in, locked out
Drawing parallels with cloud and consumer platforms, Datta cautioned that once users’ data and habits are embedded into a system, exit becomes nearly impossible. “It starts free. Later you pay for the smarter version,” he said. “We have seen this with Google Drive and iCloud. But healthcare is not email or photos. It is sovereign data.”
He stressed that this was not an argument against global collaboration. “We absolutely need it,” he said. “But the core intelligence built on Indian health data must be governed in India. Otherwise, we will end up paying for insights generated from our own people.”
Enforcement: India’s Weak Link
Karnika A Seth, a cyber lawyer and public policy expert, pointed out that while the Digital Personal Data Protection (DPDP) Act mandates encryption and security for sensitive health data, implementation remains uneven.
Seth said global experience shows that raw data is rarely sold. “Instead, insights are monetised through targeted insurance, predictive advertising and behavioural analytics,” she said.
“When users click ‘allow’, they often give away far more than they realise,” cyberlaw expert Saakshar Duggal told ETV Bharat. “Location, contacts and health permissions together reveal routines, medical conditions and behavioural patterns. Consent is rarely informed.”
However, Duggal listed the risks bluntly, “Silent profiling that affects loans and jobs. Algorithmic discrimination without explanation. Massive exposure if a single breach occurs. Loss of personal autonomy through behavioural manipulation. And limited legal remedies once data crosses borders.”
Experts agree that India needs urgent action, stronger audits, transparency on cross-border data use, clear liability frameworks and sustained public investment in domestic health AI infrastructure.
“The stakes are massive,” Datta said. “Whoever controls health data and health AI will set the rules for medical care and public policy for the next decade. If we build our own now, we control our future. If we wait, we will be locked out, and locked in.”
