New Delhi: A major security lapse at DavaIndia Pharmacy, one of India’s largest retail pharmacy chains operated by Zota Healthcare, exposed sensitive customer order data and internal administrative controls, raising fresh concerns over healthcare data protection in the country’s rapidly expanding digital retail sector.
A security researcher discovered that insecure application programming interfaces (APIs) on the company’s website allowed unauthenticated users to create “super admin” accounts, effectively granting full control over the platform. With this level of access, an attacker could view thousands of online orders, alter product prices, generate discount coupons and even change settings that determine whether certain medicines require a prescription.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
The vulnerability, which has since been fixed, potentially exposed nearly 17,000 online orders linked to 883 stores. The data included customer names, phone numbers, email addresses, delivery details, purchase history and payment totals. Given that pharmacy purchases can reveal sensitive health conditions or treatments, the exposure carried heightened privacy and patient-safety risks compared with typical e-commerce breaches.
The researcher said the administrative interfaces appeared to have been accessible since late 2024, suggesting the flaw may have remained undetected for months. There is no evidence so far that the vulnerability was exploited maliciously, but cybersecurity experts caution that prolonged exposure significantly increases the risk of misuse, including data harvesting, platform manipulation or targeted fraud.
Beyond customer information, the access allowed modifications to core operational settings. An attacker could have changed prescription requirements for regulated drugs, altered pricing across the catalogue, or defaced website content — actions that could disrupt supply chains, enable illegal sales of controlled medicines or damage consumer trust.
The issue was reported to India’s Computer Emergency Response Team (CERT-In) in August 2025 through responsible disclosure channels. The bug was patched within weeks, though formal confirmation from the company reportedly came later. Zota Healthcare did not publicly comment on the incident at the time of disclosure.
DavaIndia has been expanding aggressively, with more than 2,300 outlets across the country and plans to add up to 1,500 additional stores in the next two years. The scale of the network means that even limited platform vulnerabilities could affect a large customer base and multiple supply nodes.
Cybersecurity analysts note that pharmacy platforms are particularly sensitive because they combine personal identity data with health-related purchase information. Even in the absence of financial details, such datasets can be used for targeted scams, insurance fraud, blackmail attempts or discriminatory profiling.
The incident highlights persistent weaknesses in API security — a growing attack surface as retailers and healthcare providers digitise inventory, prescriptions and logistics. Misconfigured or unauthenticated admin endpoints can allow attackers to bypass traditional login systems and escalate privileges without triggering standard security alerts.
India currently lacks a fully operational, sector-specific health data protection framework, though broader digital personal data protection rules are expected to impose stricter obligations on companies handling sensitive personal information. Experts say healthcare and pharmacy platforms will need to adopt zero-trust architectures, stronger authentication controls and continuous vulnerability testing to prevent similar exposures.
For consumers, the breach underscores the need for caution when sharing personal and medical information online, particularly on platforms that store long-term purchase histories.
While the vulnerability has been closed and no confirmed misuse has been reported, the episode serves as a reminder that rapid digital expansion without parallel investment in security can create systemic risks — especially in sectors where data sensitivity directly intersects with public health and regulatory compliance.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
