The DavaIndia Data Breach: Why India’s DPDP Act Makes Compliance Culture Your Strongest Firewall

Rainmaker March 25, 2026 Data Protection & Privacy, Featured 5 min read
The DavaIndia Data Breach: Why India’s DPDP Act Makes Compliance Culture Your Strongest Firewall

It was a quiet Tuesday evening in suburban India. 

A daughter logged into a pharmacy app to refill her father’s heart medication. She trusted the green secure icon in the browser. She trusted the brand on the storefront. She trusted that her father’s medical history, his vulnerabilities and his private battles, would be secrets kept between them and their pharmacist.

While she clicked “Order,” a digital door stood wide open. 

Not one kicked in by a hooded hacker in a dark room. One that was simply left unlocked. And under India’s Digital Personal Data Protection Act, 2023 (DPDP Act), an unlocked door is no longer just a technical lapse. It is a governance failure.

The Unlocked Vault

In early 2026, media reports began circulating about a vulnerability in the online platform of DavaIndia, operated by Zota Healthcare Ltd. According to public reports, security researcher Eaton Zveare uncovered a serious security flaw in their IT systems. 

The issue involved exposed “super admin” APIs embedded within the platform. These APIs were referenced directly in the website’s password reset functionality. A simple request could create a super admin account. No stolen credentials. No brute force attack or sophisticated malware. Just unrestricted administrative access. 

The reported implications included access to:

  • nearly 17,000 online orders across 883 stores;
  • Personally Identifiable Information (PII) including names, phone numbers, and home addresses;
  • order histories and payment totals; and
  • medication details that could reveal sensitive health conditions.

Most disturbingly, this breach exposed full administrative control over medication listings. A basic admin setting could bypass legal prescription requirements for controlled drugs, alongside the ability to manipulate prices and issue unlimited discount codes. Eaton Zveare specifically avoided testing an illegal purchase, confirming only that such an override existed, a fundamental lapse in healthcare governance safeguards.

The vulnerability dated back to late 2024. It was disclosed to CERT-In in August 2025 and patched within weeks. Public confirmation, however, surfaced months later. At the time, the company was reportedly in aggressive expansion mode, announcing hundreds of new store openings.

And this is where governance questions begin.

In compliance culture, timelines matter. Stakeholders observe how quickly you respond, how transparently you communicate, and whether leadership speaks. Silence during vulnerability often communicates more than carefully drafted statements.

From Company to Data Fiduciary

Under the DPDP Act, organisations handling personal data are categorised as Data Fiduciaries. The term is deliberate. A Data Fiduciary determines why and how personal data is processed and is expected to act in the best interests of the individuals behind that data. The word fiduciary comes from fiducia, meaning trust.

When a pharmacy platform exposes prescription details, it is not simply exposing data fields. It is 

revealing diagnoses, treatments and deeply personal medical realities. Under the DPDP Act, failure to implement reasonable security safeguards or failure to meet notification obligations can attract financial penalties that may extend up to ₹250 crore.

But legal exposure is only part of the story. Reputational exposure can be far more expensive.

For a healthcare platform, trust is not a branding element. It is the foundation of the business model.

Was This a Technical Failure or a Cultural One?

It is easy to categorise incidents like this as cybersecurity lapses. But configuration decisions are made by people. Testing protocols are approved by managers and budgets are allocated by leadership teams. 

Which leads us to harder questions:

  • Did the developers fully appreciate the sensitivity of the health data they were protecting?
  • Were security reviews treated as strategic safeguards or routine formalities?
  • Did leadership view 17,000 orders as database entries or as 17,000 families?

When security becomes procedural rather than personal, vulnerabilities multiply quietly.

Technology reflects culture. If accountability is weak, systems follow.

Way Forward: For DavaIndia and Similar Organizations

How do organizations prevent this? By treating security as a governance commitment, not a compliance checkbox. Here is the playbook

  1. Order a Full Security Assessment: Engage external experts for thorough testing of customer apps, admin portals, APIs and third-party integrations.
  2. Mandate Strong Admin Controls: Deploy multi-factor authentication across all privileged functions and capture immutable logs of every privileged operation.
  3. Enable Continuous Threat Detection: For health data sensitivity, maintain constant surveillance for unusual patterns through an internal team or outsourced threat monitoring service.
  4. Launch a Responsible Disclosure Channel: Set up a public policy welcoming security reports from researchers, complete with defined response deadlines and credit for ethical findings.
  5. Accelerate DPDP Act Implementation: Ahead of 2027 deadlines, map all personal data flows, draft user privacy notices, audit vendors, conduct high-risk impact assessments and test breach notification procedures.
  6. Deliver Contextual Data Security Training: Train all developers, IT staff and leadership on recognizing health data sensitivity, secure coding practices, and the human impact of breaches like prescription exposure.

Wrapping Up 

At Rainmaker, we believe compliance is not a department. It is a discipline. A mindset. A pulse that runs through the organisation. Policies and controls matter. But culture determines whether they are taken seriously.

When a developer understands that a leaked address represents a real home and a leaked prescription reflects a real medical condition, accountability stops being theoretical. It becomes personal. And that changes how systems are designed.

In 2026, your technical firewall is only as strong as your culture. Checklists and security stacks can reduce risk. But without a lived culture of ownership, empathy, and responsibility, even the strongest architecture can be undone by a single careless configuration.

So ask yourself: Is your team viewing data as spreadsheet entries or as human lives?

Let’s build organisations where privacy is not just documented, but defended. Where trust is not marketed, but earned.

Is your data protection culture ready?

Download our DPDP toolkit for an 18-Month Readiness Roadmap.

Suggested Reading

  1. India’s DPDP Act 2023 & Rules 2025: Cross‑Border Data Transfer Rules, Negative List Risks & Compliance Action Plan for Indian Businesses | Rainmaker 
  2. Significant Data Fiduciary Under India’s DPDP Act: Boardroom Duties, DPO Role, DPIAs and AI Risk Governance | Rainmaker 
  3. Reimagining Consent in India’s Digital Age: What the DPDP Act & Rules 2025 Mean for Data Privacy and Compliance | Rainmaker 
  4. DPDP Rules, 2025 Compliance: 2026 FAQs for Indian Companies | Rainmaker 
  5. Consent Isn’t a Pop‑Up Anymore: DPDP Act, DPDP Rules 2025, CMS and Consent Managers – FAQs for Indian Companies | Rainmaker

API security CERT-In compliance culture cybersecurity compliance cybersecurity India data breach India data breach response Data Fiduciary data fiduciary responsibilities data governance data privacy India data protection culture data protection India data security India DavaIndia data breach digital personal data protection DPDP Act DPDP Act 2023 DPDP compliance health data privacy healthcare data breach IT security India personal data protection privacy law India risk management India
WhatsApp