How An Indian Pharmacy Chain's Data Breach Exposed Customer Privacy at Scale

A significant security lapse at one of India’s largest pharmacy retailers has highlighted the dangers of poorly configured administrative systems in the healthcare sector. The breach at DavaIndia Pharmacy, a subsidiary of Zota Healthcare, left sensitive patient information—including medication history, personal contact details, and payment records—accessible to anyone with knowledge of the vulnerability. Security researcher Eaton Zveare uncovered the flaw and disclosed it through proper channels, drawing attention to how even rapidly expanding healthcare companies can neglect fundamental security practices.

The Overlooked Admin Gateway

The technical vulnerability centered on unsecured “super admin” application programming interfaces (APIs) embedded within the DavaIndia platform. These administrative backdoors required no authentication to access, meaning any individual who discovered them could establish high-level administrative accounts and gain complete control over critical business functions.

With super admin privileges, an attacker could have manipulated pricing structures, altered prescription requirements for regulated medications, generated fraudulent promotional codes, and even defaced the entire website. The scope of potential damage extended far beyond data theft—it represented a fundamental breach of operational integrity that could have disrupted service for thousands of pharmacy customers across India.

When Leaks Threaten Patient Privacy

The exposure of pharmacy order records carries particular sensitivity. Unlike other retail transactions, medication purchases reveal intimate details about an individual’s health conditions, treatments, and personal vulnerabilities. The compromised data encompassed names, phone numbers, email addresses, shipping locations, transaction amounts, and itemized product lists.

Approximately 17,000 orders and administrative credentials for 883 physical store locations remained exposed during the vulnerability window. For individuals purchasing sensitive medications—whether related to chronic conditions, reproductive health, or mental wellness—such exposure crosses beyond commercial inconvenience into genuine privacy violation.

The records maintained direct linkages between customer identities and their purchases, meaning the risk extended beyond isolated data points to complete customer profiles tied to specific pharmaceutical needs.

Zota Healthcare’s Expansion and Security Priorities

The incident occurred during an aggressive expansion phase for Zota Healthcare. Headquartered in Gujarat, the company operates more than 2,300 pharmacy outlets across India. In recent months alone, the company added 276 new locations, with plans to establish 1,200 to 1,500 additional stores within the subsequent two years.

This rapid scaling—while demonstrating business growth—raises questions about whether security infrastructure kept pace with operational expansion. Building robust security practices typically requires deliberate investment and planning, and scaling too quickly can inadvertently create technical debt and configuration oversights.

Timeline: From Discovery to Resolution

Zveare reported his findings to CERT-In, India’s National Computer Emergency Response Team, in mid-2025. According to Zveare’s account, the vulnerability had persisted since late 2024, creating an extended exposure window for both customer data and store management systems.

The issue was remediated within weeks of the initial report. However, official acknowledgment from Zota Healthcare to authorities did not materialize until late 2025—a several-month lag between technical resolution and formal corporate confirmation.

TechCrunch reached out to Zota Healthcare’s Chief Executive Officer, Sujit Paul, for comment but received no response. Zveare indicated no evidence suggesting the vulnerability was exploited by malicious actors before remediation.

What This Indian Security Incident Reveals

The DavaIndia incident underscores critical lessons for India’s healthcare and e-commerce sectors. First, administrative interfaces—regardless of their internal designation—require rigorous authentication and access controls. Second, rapid business expansion must incorporate corresponding investments in security architecture, not treat it as an afterthought.

For healthcare companies specifically, the regulatory and ethical obligations surrounding patient data demand that security be engineered into systems from inception, not bolted on afterward. The exposure of medication records affects not just individual users but undermines broader trust in India’s digital healthcare infrastructure.

As the country continues building its pharmaceutical e-commerce ecosystem, incidents like these serve as reminders that growth without security creates fragile foundations for long-term success.