The Digital Prescription for Disaster: How India’s DavaIndia Pharmacy Exposed Thousands of Customer Health Records 

The Digital Prescription for Disaster: How India’s DavaIndia Pharmacy Exposed Thousands of Customer Health Records 

When a nation’s healthcare digitization outpaces its security protocols, patient privacy becomes the casualty. 

On February 13, 2026, TechCrunch broke a story that should concern anyone who has ever filled a prescription at one of India’s 2,300+ DavaIndia Pharmacy outlets. Security researcher Eaton Zveare discovered that the pharmacy chain’s website contained insecure “super admin” application programming interfaces (APIs) that allowed complete strangers to create administrator accounts with god-level access to the entire system. 

For months—possibly since late 2024—these digital doors stood wide open. No password required. No authentication needed. Just empty digital space waiting for anyone curious enough to wander through. 

And what waited inside? Approximately 17,000 customer orders containing names, phone numbers, email addresses, mailing addresses, payment amounts, and most disturbingly—the specific medications people purchased. 

The Intimacy of Pharmacy Data 

Let’s pause here and consider what “products purchased” actually means when you’re talking about a pharmacy. 

We’re not discussing someone’s favorite book genre or their preferred clothing brand. We’re talking about medications for mental health conditions, treatments for sexually transmitted infections, hormone therapies, addiction recovery medications, erectile dysfunction drugs, antidepressants, anxiety medications, and a thousand other purchases that people reasonably expect to remain private. 

As Zveare noted in his findings, “the products being purchased could be considered private and even embarrassing for some people.” That’s an understatement worthy of the year’s most restrained observation. 

Pharmacy data occupies a uniquely sensitive category in the information hierarchy. Your social media posts are curated public performances. Your search history contains passing curiosities. But your medication history? That’s your actual medical reality—the conditions you’re actively managing, the health challenges you’re confronting, the treatments your doctor deemed necessary. 

In India, where discussions around health—particularly mental health, sexual health, and chronic conditions—remain heavily stigmatized, exposure of this data carries consequences that extend far beyond identity theft risks. It threatens real-world discrimination, social ostracization, and emotional harm that doesn’t fit neatly into breach notification templates. 

The Technical Gap That Opened the Door 

The vulnerability Zveare discovered wasn’t sophisticated. It didn’t require nation-state resources or zero-day exploits purchased on dark web markets. It was, at its core, a failure of basic security hygiene—the digital equivalent of leaving the pharmacy’s master key taped to the front door. 

DavaIndia’s website contained administrative interfaces that simply didn’t check who was requesting access. Anyone who knew where to look could create themselves a “super admin” account with privileges that would make the company’s actual IT managers envious. From there, the possibilities cascaded outward like dominoes: 

• View thousands of customer orders with complete personal information 

• Modify product listings and prices at will 

• Create discount coupons (hello, instant personal shopping spree) 

• Change settings that determine whether specific medications require prescriptions 

• Edit website content for defacement or misinformation campaigns 

The access spanned 883 stores—nearly 40% of DavaIndia’s retail footprint. An attacker with malicious intent could have quietly harvested customer data for months, sold it on underground markets, used it for targeted phishing campaigns, or simply observed the private medical purchases of thousands of unsuspecting customers. 

The Race to Scale and the Security Afterthought 

DavaIndia Pharmacy is the retail arm of Zota Healthcare, a Gujarat-headquartered company that’s been expanding at breakneck speed. In January alone, the company announced 276 new outlets. Their growth projections call for another 1,200 to 1,500 stores over the next two years. 

This aggressive expansion tells a familiar story in the business world—the race to capture market share, build brand presence, and establish infrastructure before competitors can respond. It’s the kind of growth that excites investors and fills quarterly reports with impressive numbers. 

But it also creates conditions where security becomes an afterthought. When you’re adding hundreds of new locations, managing supply chains, training staff, and coordinating logistics across a subcontinent, website security can feel like a background concern—something to address “later,” when the immediate fires are under control. 

Except later arrived in August 2025, when Zveare discovered the exposed interfaces and reported them to CERT-In, India’s national cyber emergency response agency. The vulnerability was fixed within weeks, but confirmation from DavaIndia took until late November—a timeline suggesting that security wasn’t exactly at the top of the company’s priority list. 

What Could Have Been Done With That Access? 

Zveare found no evidence that the flaw was exploited before it was patched. That’s the good news—the kind of “close call” that security professionals discuss with visible relief. 

But let’s consider what an attacker with malicious intent could have accomplished with “super admin” access to a national pharmacy chain’s website. 

Scenario one: The quiet observer. An attacker simply monitors customer orders, building a database of medical information linked to specific individuals. They sell this data to insurance companies, employers, marketing firms, or anyone willing to pay for insight into people’s health conditions. No one notices anything wrong because nothing “happened”—the data just quietly leaked into the background noise of the internet. 

Scenario two: The prescription manipulator. With access to settings that govern prescription requirements, an attacker could flag certain medications as “no prescription needed,” potentially enabling dangerous self-medication or creating liability nightmares for the company. Alternatively, they could require prescriptions for common over-the-counter drugs, disrupting customer access and creating chaos. 

Scenario three: The ransomware architect. Rather than stealing data quietly, the attacker encrypts systems and demands payment to restore access. A pharmacy chain with thousands of daily customers and time-sensitive medication needs would face impossible pressure to pay quickly—and attackers know this. 

Scenario four: The targeted harasser. Using customer data linked to sensitive medication purchases, an attacker identifies individuals and exposes their health information to family members, employers, or the public. The damage here isn’t financial—it’s deeply personal and potentially life-altering. 

The Researcher’s Role: Ethical Disclosure in Action 

Eaton Zveare represents the often-unseen layer of cybersecurity’s immune system—independent researchers who identify vulnerabilities and report them through proper channels rather than exploiting them for profit or notoriety. 

His actions following the discovery followed an ethical disclosure playbook that benefits everyone except actual criminals. He identified the issue, documented his findings, and privately shared details with Indian cybersecurity authorities. He didn’t publish the vulnerability publicly before it was fixed. He didn’t demand payment or threaten exposure. He simply did the work that companies should be doing themselves and trusted the system to respond appropriately. 

The system did respond—the vulnerability was patched within weeks. But the timeline from discovery in August to confirmation in late November suggests plenty of room for improvement in how organizations handle researcher reports. 

For his efforts, Zveare received what most researchers receive: acknowledgment that the issue was addressed and no indication that his work would be compensated or formally recognized. This is the standard operating procedure in an industry where companies routinely benefit from free security audits performed by skilled professionals who simply want to make the internet safer. 

The Broader Context: India’s Digital Health Transformation 

This incident doesn’t exist in isolation. It’s part of a massive digital transformation sweeping through India’s healthcare system—a transformation driven by legitimate needs and genuine opportunities. 

India’s healthcare infrastructure has historically struggled with accessibility, particularly in rural areas where pharmacy access might require hours of travel. Digital platforms promise to bridge these gaps, connecting patients with medications through online ordering and delivery networks. Companies like DavaIndia are building the digital plumbing for a new era of healthcare delivery. 

But with this digitization comes responsibility—the responsibility to protect the most intimate data most people will ever generate. 

The Indian government has recognized these stakes. The Digital Personal Data Protection Act, passed in 2023, establishes frameworks for data protection that include significant penalties for mishandling personal information. Health data, classified as “sensitive personal data,” receives enhanced protections under the law. 

Yet legislation alone doesn’t secure APIs. Regulations don’t patch vulnerabilities. The gap between legal frameworks and technical implementation remains wide enough to drive trucks through—or in this case, wide enough for researchers to walk through unauthenticated. 

What Customers Should Do Now 

For the approximately 17,000 customers whose order data was exposed, the vulnerability is now closed and there’s no evidence their information was accessed. But for anyone who’s used DavaIndia’s online pharmacy services—or any online pharmacy, for that matter—this incident offers several lessons worth internalizing. 

Monitor for unusual activity. Pharmacy data can enable targeted phishing campaigns where scammers reference specific medications to establish credibility. Be skeptical of unexpected communications referencing your health or medications. 

Consider communication channels. When corresponding with pharmacies about sensitive medications, consider whether email is truly the appropriate channel. Many pharmacies now offer secure messaging through patient portals—use them when available. 

Ask about security practices. Before providing sensitive health information to any online platform, ask what security measures protect your data. Companies that take security seriously will have clear answers. Companies that don’t may reveal themselves through vagueness or defensiveness. 

Balance convenience against privacy. The convenience of ordering medications from home is real and valuable. But that convenience comes with privacy trade-offs that deserve conscious consideration. Make informed decisions about which platforms you trust with your health information. 

The Accountability Question 

Zota Healthcare, DavaIndia’s parent company, has not responded to requests for comment about this incident. CEO Sujit Paul did not reply to TechCrunch’s emails. This silence speaks volumes about how the company views its relationship with affected customers. 

Accountability in data breaches typically follows a predictable pattern: initial silence, followed by carefully crafted statements acknowledging the issue while minimizing responsibility, followed by promises of improved security, followed by business as usual until the next incident. 

Whether Indian regulators will pursue enforcement action remains unclear. CERT-In received the report and facilitated remediation, but public disclosure of enforcement outcomes rarely occurs. Customers affected by the exposure may never learn whether any consequences followed the discovery. 

The Path Forward: Security as Infrastructure, Not Afterthought 

The DavaIndia exposure joins a growing list of healthcare data breaches that share a common characteristic: they weren’t sophisticated attacks but simple failures of basic security implementation. No advanced persistent threats. No state-sponsored hackers. Just interfaces that didn’t check who was asking for access. 

As healthcare continues its digital transformation, organizations must recognize that security isn’t a feature to add later or a cost to minimize. It’s foundational infrastructure—as essential to healthcare delivery as sterile equipment and accurate dosing. 

For companies expanding rapidly, the temptation to prioritize growth over security is understandable but unacceptable. Every new store, every new customer, every new digital interaction creates additional obligations to protect the information entrusted to your systems. 

The customers who fill prescriptions at DavaIndia aren’t just buying products—they’re managing health conditions, treating illnesses, and maintaining quality of life. They deserve pharmacy services that take those responsibilities as seriously as they do. 

One hopes that Zota Healthcare’s leadership understands this now, after coming within inches of exposing thousands of customers’ most private medical information. The vulnerability is patched. The immediate crisis is averted. But the underlying question remains: in the race to build India’s pharmacy future, will security finally become a priority rather than an afterthought? 

For the 17,000 customers whose data sat exposed for months, the answer to that question matters more than any expansion announcement or store count milestone. They’ve already trusted DavaIndia with their health. The question is whether that trust was well-placed—and whether it will be in the future.