India's Pharmacy Giant Left 17,000 Prescriptions Wide Open

DavaIndia's security flaw exposed customer prescription data and drug control functions, highlighting critical vulnerabilities in online healthcare platforms.

When Your Most Private Purchases Become Public

17,000 prescription orders. Customer names, phone numbers, medications purchased. All sitting wide open on the internet, accessible to anyone who knew where to look.

This isn't just another data breach. When pharmacy records get exposed, they reveal the most intimate details of people's lives—their health conditions, medications, and purchases they'd rather keep private. Security researcher Eaton Zveare discovered this vulnerability at DavaIndia Pharmacy, one of India's largest pharmacy chains, where the digital doors had been left unlocked since late 2024.

The 'Super Admin' Anyone Could Become

DavaIndia, operated by Zota Healthcare, runs over 2,300 stores across India and added 276 new outlets just this January. The company plans another 1,200-1,500 stores over the next two years—a rapid expansion that apparently outpaced their security measures.

Zveare found that DavaIndia's admin interfaces were so poorly secured that anyone could create "super admin" accounts with extensive privileges. What could these fake administrators do?

Access thousands of customer orders and personal information
Modify product prices and listings
Generate discount coupons
Change whether medications required prescriptions

That last point is particularly alarming. An attacker could potentially reclassify prescription drugs as over-the-counter medications, bypassing crucial safety controls.

The Ripple Effect Beyond India

This incident exposes a broader vulnerability in the global shift toward digital healthcare. As online pharmacies proliferate worldwide—from CVS and Walgreens in the US to emerging platforms across Asia and Europe—the attack surface for healthcare data breaches continues to expand.

For businesses operating in India or partnering with Indian healthcare providers, this breach raises critical questions about vendor security assessments and supply chain risks. The exposed data included administrative controls spanning 883 stores, suggesting the vulnerability's scope extended far beyond a single location.

What Consumers Should Know

Zveare reported the flaw to India's cyber emergency response agency (CERT-In) in August, and it was fixed within weeks. Crucially, there's no evidence the vulnerability was actually exploited before the patch.

But relying on luck isn't a security strategy. For anyone using online pharmacy services:

Review platform privacy policies and data handling practices
Minimize unnecessary personal information sharing
Regularly monitor account activity and order histories
Consider the sensitivity of prescription data when choosing platforms

The Prescription for Better Security

This incident highlights a troubling pattern: healthcare digitization often prioritizes speed and convenience over security fundamentals. Zota Healthcare's CEO didn't respond to requests for comment, leaving questions about their security practices unanswered.

The vulnerability affected nearly 17,000 orders, but the real number at risk could be much higher given the administrative access to 883 stores. For cybersecurity professionals, this case study demonstrates how basic authentication failures can cascade into system-wide compromises.