Digital health cards: Threat of another data breach, after the CoWin leak?

The Gujarat government has taken the initiative to formulate digital health cards for all students to track their cognitive and nutritional development. However, with the CoWin data breach in recent times, attaching nutritional development with surveillance only spells ‘disaster’.

According to an IANS report, the Gujarat government is looking to start this initiative under its Shala Arogya-National Child Health Program (SHRBSK). This program was given the green light on June 12, as the incumbent BJP government plans to conduct health check-ups of over one crore school children through the following 30 days.

The program has been introduced to offer free health checkups to students, while also diagnosing ailments such as anaemia, malnutrition, skin diseases, learning disabilities, developmental delays, and other illnesses. The one major feature that the program ‘flexes’ is the introduction of its ‘digital health card’ which will provide insights into parameters such as anaemia levels, height and nutrition status.

With the introduction of these health cards, a similar pattern can be perceived where intrinsic personal information shall be collected and according to one of its terms, the quarterly health report of the child shall be attached to their marksheet.

These details shall be stored in the student’s personal Ayushman Bharat Health Account (ABHA) ID, through nodal teachers and community health officers. These accounts will be accessible by both the students and their parents through the DHCs.

This Centre–state initiative comes in the wake of the CoWin data breach which put millions of Indians’ personal information at stake. According to Scroll, Rahul Sasi, the chief executive officer of a digital threat analysis company based in Bengaluru, CloudSek, said that the data was compromised through the credentials of several health workers.

However, Dr Nayan Jani, the deputy director at the Commissonerate of Health and Medical Services, Gujarat, said there was no possibility of a data breach with the digital health cards. He said, "The data is handled by the health and the education ministries and no private entity is employed. Securing the data is our topmost priority."

Dr Jani added that the DHC servers will hold details such as weight, height, haemoglobin levels and other such parameters for students from ages 10 to 19 years. He said, "Like CoWin, this database will store all of these details without fail. Nobody can breach the data."

However, the comparison may not be as reassuring as Jani hopes. The public will remember that the incumbent Central government is no stranger to such data breaches, as prior to the CoWin fiasco, similar infringements had been noticed on two separate occasions. The most recent was recorded from State Bank of India, where 7.9 million cardholders lost their account privacy in a massive data breach in 2022. Similarly, in 2018, the data breach of Aadhaar card holders had caused in the loss of 1.1 billion Indians’ identities.

According to Anushka Jain, policy counsel at the Internet Freedom Foundation, most of these data breaches happen because of a lack of data protection laws in India. She said, "A data protection bill was put out for public consultation in November but since then there has been no development on the draft proposal."

Jain added that the lack of these laws only make way for more such data breaches such as the CoWin–Aadhaar exposure, invading the privacy of members of the public.

The other aspect of the conundrum is the importance of signing up for such programmes in order to access essential services. It is as yet unknown to what degree the digital health report will influence students' academic records and trajectories. However, the linking of Aadhaar to other personal data to access various banking services and allegedly even to gain school admission in some cases sets a precedent for PM Modi’s Digital India — where digital record and exposure of personal data is made by mandate and not through any real choice.

The author has reached out to digital privacy experts and the Health Ministry for comments. The report shall be further developed as awaited inputs are received.