India's Largest Private Pharmacy Chain Exposed Customer Health Data and Internal Systems Through Critical API Vulnerability

A security researcher gained "super admin" access to DavaIndia Pharmacy's entire backend, revealing prescription data for 17,000 orders across 883 stores—and the ability to remove prescription requirements from controlled medications.

Executive Summary

A critical security vulnerability in DavaIndia Pharmacy, operated by Zota Healthcare and self-described as "India's largest private generic pharmacy retail chain," allowed unauthenticated users to create super administrator accounts with complete control over the company's digital infrastructure. The flaw, discovered by security researcher Eaton Zveare in August 2025 and publicly disclosed on February 13, 2026, exposed sensitive health-related purchase data for nearly 17,000 customer orders and provided administrative access to 883 retail pharmacy stores.

The vulnerability went beyond typical data exposure: an attacker could have modified prescription requirements for controlled medications, created unlimited discount coupons (including 100% off), altered product pricing, and defaced the company's website. While Zveare reported no evidence of malicious exploitation, the security lapse raises serious questions about cybersecurity practices in India's rapidly expanding pharmaceutical retail sector—and arrives just as India's Digital Personal Data Protection (DPDP) Act 2023 begins to take effect.

This incident underscores a troubling pattern: healthcare and pharmacy organizations, despite handling some of the most sensitive personal data imaginable, continue to deploy systems with fundamental security flaws that would be considered unacceptable in financial services or other regulated industries.

The Discovery: Insecure Admin APIs Grant Total Control

Finding the Keys to the Kingdom

Security researcher Eaton Zveare, known for his responsible disclosure work across various industries, stumbled upon DavaIndia Pharmacy while examining the attack surface of major Indian healthcare platforms. What he found was remarkable not for its sophistication, but for its simplicity.

The DavaIndia website, built using the popular Next.js framework, contained client-side JavaScript that referenced "super-admin" API endpoints. This alone would not be unusual—many administrative interfaces exist on separate subdomains. What was unusual was that these APIs required no authentication whatsoever.

"I found an admin subdomain that presented a simple login," Zveare wrote in his detailed technical disclosure. "The site is developed using Next.js, so naturally there's plenty of client-side JS to pick through. One part that stood out immediately was the forgot password code that mentioned super-admin APIs."

Zveare attempted a simple GET request to the super-admin users endpoint and received a complete list of all super administrator accounts in the system—without providing any credentials. The system's only security measure, apparently, was hoping no one would look.

Creating a Super Admin Account

The real test came when Zveare attempted to create his own administrative account. There was no code on the website's client-side to reference, making this a "true blind test" as he described it. But the API helpfully provided error messages indicating which fields were missing from his requests.

"The response indicated that it was a supported operation, but I did not form the request correctly," Zveare explained. "Since there was no example request/code to create a super admin account, the fact that the response told me what was missing was incredibly helpful. Adding in the missing fields one-by-one, I eventually formed a successful request."

After creating the account, Zveare used the password reset function—which also required no verification—to set a password and logged in. He now had complete administrative access to one of India's largest pharmacy chains.

The Scope of Exposure: What Super Admin Access Revealed

Customer Order Data: 17,000 Health Purchases Exposed

With super administrator privileges, Zveare could access detailed records of nearly 17,000 online orders placed through DavaIndia's platform. Each order contained:

• Full customer name
• Phone numbers
• Email addresses
• Complete mailing addresses
• Total amount paid
• Itemized list of products purchased

For a general e-commerce platform, this would be concerning. For a pharmacy, it's potentially devastating.

"Since this is a pharmacy, the products being purchased could be considered private and even embarrassing for some people," Zveare noted. His disclosure included references to products like "Night Rider Premium Condoms" and adult diapers—purchases that most customers would reasonably expect to remain confidential.

But prescription medications represent an even more sensitive category. Knowledge that someone purchased specific prescription drugs can reveal:

• Mental health conditions (antidepressants, antipsychotics)
• HIV/AIDS status (antiretroviral medications)
• Sexual dysfunction (erectile dysfunction medications)
• Chronic conditions (diabetes medications, heart medications)
• Pain management issues (potentially stigmatized pain medications)
• Reproductive health decisions (contraceptives, fertility medications)

This information, in the wrong hands, could be used for blackmail, discrimination in employment or insurance, social stigmatization, or targeted scam campaigns impersonating healthcare providers.

Store Management: 883 Pharmacies Under Threat

The administrative access extended beyond customer data to complete control over DavaIndia's retail operations spanning 883 stores. While Zota Healthcare claims to operate over 2,300 DavaIndia stores nationwide, the 883 stores accessible through the compromised system appeared to be those enabled for online ordering.

For each store, an attacker could:

• View and modify store details
• Access pharmacist assignments
• View private pharmacist PIN codes
• Alter operational settings

The exposure of pharmacist PIN codes is particularly concerning. These credentials could potentially be used for in-person fraud at physical pharmacy locations, enabling prescription fraud or unauthorized access to controlled substances.

Product and Inventory Control: The Prescription Problem

Perhaps the most alarming capability granted by super admin access was control over DavaIndia's product catalog, including the ability to modify whether specific medications required a prescription for purchase.

India, like most countries, regulates certain medications that can only be legally dispensed with a valid prescription from a licensed medical practitioner. These regulations exist for crucial reasons:

• Drug interactions: Some medications can be dangerous when combined
• Dosage requirements: Incorrect dosing can cause harm or death
• Underlying conditions: Some symptoms require medical evaluation before treatment
• Controlled substances: Certain medications have abuse potential
• Antibiotic resistance: Unnecessary antibiotic use contributes to resistant bacteria

Zveare demonstrated that the admin panel included a simple toggle to enable or disable prescription requirements for any product. While he did not test whether the system would actually process an order for a prescription-only medication with the toggle disabled, he noted: "This was not tested, but it is highly likely it would have worked."

An attacker exploiting this vulnerability could have:

1. Identified prescription-only medications with street value or abuse potential
2. Disabled the prescription requirement
3. Placed orders for personal use or resale
4. Re-enabled the requirement to cover their tracks

Alternatively, a malicious actor could enable prescription requirements for previously over-the-counter medications, disrupting legitimate customer purchases and causing confusion.

Financial Fraud: 100% Off Coupons

The coupon creation system within the admin panel had no apparent limits or restrictions. Zveare demonstrated the creation of a 100% discount coupon, reducing an order total to just a nominal platform fee.

"Using the Coupons panel, I created a 100% off coupon that would only work for a specific email," he described. "When I went to place the order, there it was... The coupon code was applied successfully, and the entire order was made free besides some platform fee."

He added: "This was enough to prove it would work, so the order was not submitted, and the coupon was deleted."

A financially motivated attacker could have generated thousands of dollars worth of free merchandise before anyone noticed. More sophisticated attackers might have created modest 20-30% discounts to avoid detection while still extracting significant value over time.

Website Defacement and Disruption

The admin panel included "Sponsor Settings" that controlled video content displayed on the DavaIndia homepage and throughout the site. Zveare noted the potential for replacing legitimate pharmaceutical content with inappropriate or harmful material.

While he jokingly referenced the possibility of inserting the infamous "Rick Roll" video, the implications are more serious. A malicious actor could:

• Replace health information with misinformation
• Insert malware-distributing content
• Display offensive material damaging the brand
• Redirect users to phishing sites
• Post fraudulent announcements about contaminated medications (causing panic)

Timeline: Six Months from Discovery to Disclosure

The timeline of this vulnerability's existence and remediation raises questions about both DavaIndia's internal security practices and their communication with regulatory authorities.

Pre-Discovery: Vulnerability Live Since Late 2024

Based on system timestamps Zveare observed, the vulnerable administrative interfaces appeared to have been exposed since late 2024—meaning the security gap existed for approximately eight months before discovery.

During this period, Zota Healthcare was actively expanding DavaIndia's footprint, adding 276 new stores in Q3 FY26 (October-December 2025) alone, with announced plans to add another 1,200 to 1,500 stores over the following two years. The company planned to invest Rs 350 crore (approximately $41 million USD) in this expansion.

August 20, 2025: Initial Report to CERT-In

Zveare reported the vulnerability to CERT-In (Indian Computer Emergency Response Team), India's national cyber emergency response agency. CERT-In acknowledged receipt and confirmed they would take action with the concerned authority.

This represents responsible disclosure best practice: reporting to the national CERT rather than directly to a potentially unresponsive company, ensuring government oversight of remediation.

September 16, 2025: Vulnerability Fixed (Approximately)

Zveare noticed the vulnerability had been patched and requested confirmation from CERT-In. The actual fix may have been deployed before this date; the exact remediation timeline remains unclear.

The roughly one-month remediation window is reasonable for a vulnerability of this severity, though the lack of immediate communication to the researcher was suboptimal.

October 16 - November 17, 2025: The Communication Gap

Despite the fix being implemented, Zota Healthcare failed to confirm remediation to CERT-In for over two months. Zveare repeatedly asked for updates, and CERT-In responded that they were "still waiting to hear from Dava India."

This communication failure is concerning. Under India's CERT-In Directions of 2022, organizations are required to report cybersecurity incidents to CERT-In within six hours of discovery. While this particular situation involved a security researcher report rather than an active breach, the extended silence suggests potential compliance culture issues.

November 28, 2025: Belated Confirmation

Nearly three months after the initial report, DavaIndia finally confirmed to CERT-In that the issue was resolved.

February 13, 2026: Public Disclosure

Zveare published his full technical disclosure, coordinated with TechCrunch's exclusive coverage. TechCrunch noted that Sujit Paul, CEO of Zota Healthcare, "did not respond to emails sent by TechCrunch last month."

The non-response to media inquiries, combined with the delayed regulatory confirmation, suggests Zota Healthcare may lack a mature security communication strategy—a concerning gap for a company handling sensitive health data.

Regulatory Implications: India's Evolving Data Protection Landscape

The Digital Personal Data Protection Act 2023

This security incident arrives at a pivotal moment for data protection in India. The Digital Personal Data Protection (DPDP) Act, passed in 2023, represents India's first comprehensive data protection legislation, following the landmark 2017 Supreme Court decision in Puttaswamy v. Union of India that recognized privacy as a fundamental right under the Indian Constitution.

The DPDP Rules, released on November 13, 2025—just weeks before DavaIndia finally confirmed remediation of this vulnerability—establish specific requirements for organizations handling personal data:

Data Breach Notification:

• Data Fiduciaries must notify the Data Protection Board of India and affected individuals "without any delay" upon becoming aware of a breach
• A detailed report must be submitted within 72 hours
• Unlike GDPR, there is no materiality threshold—all breaches require reporting

Security Requirements:

• Organizations must implement "reasonable security safeguards" to prevent breaches
• Records of security incidents and actions taken must be preserved
• Third-party vendors (including software providers) must follow security procedures

Penalties:

• The DPDP Act provides for penalties up to Rs 250 crore (approximately $29 million USD) for serious violations

Compliance Timeline:

• Full compliance is expected by May 13, 2027
• Organizations must issue retrospective privacy notices for data processed before the rules took effect

Did DavaIndia Violate Data Protection Requirements?

The DavaIndia situation exists in a regulatory gray zone. The vulnerability was discovered and fixed before the DPDP Rules were formally released. However, several questions arise:

1. Was this a "breach"? The researcher reported no evidence of malicious exploitation, and customer data apparently remained secure. However, the extended exposure window (potentially eight months) means it's impossible to confirm no unauthorized access occurred. Under precautionary interpretations, this could constitute a reportable incident.

2. Were security safeguards "reasonable"? Leaving administrative APIs completely unauthenticated fails any reasonable security standard. Basic API security—authentication, authorization, rate limiting—represents industry baseline practices, not advanced security measures. A strong argument exists that DavaIndia failed its obligation to implement reasonable safeguards.

3. What about existing regulations? Before the DPDP Act, India's Information Technology Act and associated Privacy Rules (2011) required "reasonable security practices" including ISO 27001 certification or equivalent standards. Unauthenticated admin APIs would likely violate these requirements as well.

CERT-In's 2022 Directions

Since April 2022, CERT-In has required organizations to report cybersecurity incidents within six hours of discovery. While primarily designed for active attacks rather than vulnerability disclosures, the directive establishes a culture of rapid reporting that DavaIndia's delayed confirmation appears to contradict.

Healthcare Cybersecurity: A Sector Under Siege

The Pharmacy as Target

DavaIndia's security lapse is not an isolated incident. Healthcare and pharmaceutical organizations worldwide face unprecedented cyber threats, driven by several factors:

High-Value Data: Health records command premium prices on dark web marketplaces—often 10-50 times the value of credit card numbers. While financial credentials can be quickly invalidated, health information is permanent. You can get a new credit card; you cannot get new medical history.

Digital Transformation Pressures: Healthcare organizations, including pharmacies, are racing to digitize operations, implement online ordering, and integrate mobile applications. Speed-to-market pressures often override security considerations, resulting in vulnerabilities like those found at DavaIndia.

Legacy Systems: Many healthcare organizations operate on aging infrastructure with known vulnerabilities, maintained by understaffed IT departments more familiar with clinical systems than modern cybersecurity practices.

Regulatory Complexity: Unlike financial services, where regulatory requirements are well-established and heavily audited, healthcare cybersecurity regulations vary significantly by jurisdiction and often lack enforcement mechanisms.

Recent Healthcare Breaches: A Pattern of Vulnerability

The DavaIndia incident joins a troubling series of healthcare sector security failures:

Change Healthcare (United States, 2024): A ransomware attack against Change Healthcare, a major pharmacy processing platform, disrupted prescription fulfillment for millions of Americans for weeks. The attack demonstrated how a single point of failure in healthcare supply chains can have cascading effects across an entire nation's healthcare system.

Sun Pharmaceutical (India, 2023): One of India's largest generic drug producers suffered a significant cybersecurity breach impacting business operations. The incident highlighted that even major pharmaceutical companies with substantial resources struggle with cyber defense.

Medibank (Australia, 2022): Health insurer Medibank experienced a breach exposing sensitive health data for millions of customers, including mental health records and pregnancy termination information. The breach led to public disclosure of highly personal medical information.

The Unique Risks of Pharmacy Data

Pharmacy data presents distinct risks compared to other healthcare information:

Purchase History Reveals Conditions: Unlike hospital records, which require interpretation, pharmacy purchases directly reveal diagnoses. Purchasing insulin indicates diabetes; purchasing antiretrovirals strongly suggests HIV treatment; purchasing specific psychiatric medications indicates mental health conditions.

Stigmatization Potential: Certain pharmacy purchases—erectile dysfunction medications, STI treatments, addiction medications, psychiatric drugs—carry significant social stigma that could be weaponized against individuals.

Pattern Analysis: Long-term pharmacy records reveal condition progression, treatment changes, and medication adherence patterns that could be valuable for insurance discrimination or employment decisions.

Geographic Correlation: Combined with address information, pharmacy data enables geographic clustering of health conditions—potentially valuable for market research but concerning for community privacy.

Technical Analysis: How This Should Never Have Happened

API Security 101

The vulnerabilities exploited by Zveare represent fundamental API security failures that should be caught in basic security reviews:

Authentication (Who are you?): The DavaIndia super admin API required no authentication whatsoever. Any user could access administrative endpoints without providing credentials. This fails the most basic security requirement.

Authorization (What can you do?): Even if some authentication existed, the system should have verified that authenticated users were authorized for administrative actions. There's no indication such checks existed.

Input Validation: The API helpfully provided error messages indicating which fields were missing from account creation requests, effectively providing a roadmap for attackers. Secure APIs return generic error messages that don't reveal implementation details.

Rate Limiting: There's no indication the API limited request frequency, meaning an attacker could enumerate users, test payloads, and create accounts without triggering alerts.

Audit Logging: A proper security implementation would log all administrative API calls, enabling detection of suspicious activity. Whether DavaIndia had such logging is unclear, but the extended exposure window suggests monitoring was inadequate.

The Next.js Factor

The DavaIndia website's use of Next.js, a popular React-based framework, contributed to the discovery. Next.js applications include client-side JavaScript bundles that reference API endpoints. Security researchers routinely examine these bundles for sensitive endpoints.

This doesn't make Next.js inherently insecure—the framework supports secure implementations. But it does mean organizations using client-side frameworks must be particularly careful about what information their JavaScript bundles reveal.

Responsible Disclosure Worked—This Time

Eaton Zveare's responsible disclosure approach likely prevented this vulnerability from causing widespread harm. By reporting to CERT-In rather than exploiting the flaw or selling the information, Zveare demonstrated the value of ethical security research.

However, the extended timeline highlights a gap: between discovery in August 2025 and publication in February 2026, the vulnerability existed—and was potentially discoverable by malicious actors. Responsible disclosure only works if organizations respond promptly and transparently.

The Business Impact: Trust in the Balance

Zota Healthcare's Ambitious Expansion

This security incident comes at a critical moment for Zota Healthcare. The Gujarat-headquartered company has been aggressively expanding DavaIndia's retail footprint:

• Current stores: 2,300+ nationwide
• Recent additions: 276 stores in Q3 FY26 (October-December 2025)
• Planned expansion: 1,200-1,500 additional stores over two years
• Investment: Rs 350 crore (~$41 million USD) committed to expansion

The company positions DavaIndia as "India's largest private generic pharmacy retail chain," competing with other pharmacy aggregators and chains for India's growing healthcare market.

Consumer Trust and Brand Reputation

For a pharmacy chain, consumer trust is paramount. Patients must believe their health information remains confidential, their purchases private, and their medications legitimate. The DavaIndia security lapse challenges all three assumptions:

Confidentiality: Customer order data was accessible to anyone who discovered the vulnerability. While no evidence suggests malicious access occurred, customers cannot have complete confidence their information remained private.

Privacy: The detailed purchase histories exposed included potentially embarrassing or stigmatizing products. Customers choosing DavaIndia for discretion now learn that discretion was technically impossible.

Medication Safety: The ability to modify prescription requirements raises questions about whether the medications customers received truly met regulatory standards throughout the vulnerability window.

Competitive Implications

India's pharmacy retail sector is increasingly competitive, with multiple chains and platforms vying for market share. This security incident provides competitors with a differentiation opportunity: demonstrating superior security practices could attract customers concerned about DavaIndia's handling of their data.

Investor Considerations

Zota Healthcare is publicly traded (BSE: 531361). Security incidents of this nature can affect investor confidence, particularly as regulatory scrutiny of data protection increases. The DPDP Act's penalty provisions—up to Rs 250 crore—represent material financial risk for repeated violations.

Recommendations: Securing Healthcare Data

For DavaIndia and Similar Organizations

1. Immediate Security Audit: Commission a comprehensive third-party security assessment covering all customer-facing applications, administrative interfaces, and APIs. This should include penetration testing and code review.

2. Implement Zero Trust Architecture: Administrative functions should require multi-factor authentication, operate on separate network segments, and log all actions for audit purposes.

3. Establish a Security Operations Center: Given the sensitivity of pharmacy data, continuous monitoring for suspicious activity is essential. This needn't be in-house; managed security services can provide 24/7 coverage.

4. Create a Vulnerability Disclosure Program: Establish a formal process for security researchers to report vulnerabilities, with clear response timelines and public recognition for responsible disclosure.

5. Prepare for DPDP Compliance: The May 2027 compliance deadline approaches. Organizations should begin data mapping, privacy notice preparation, and breach response planning immediately.

For Healthcare Organizations Generally

1. Treat Security as Clinical: Just as clinical errors can harm patients, security failures can harm patients through privacy violations, fraud, and medication errors. Security should receive the same organizational attention as clinical quality.

2. Secure the Supply Chain: Third-party vendors, including e-commerce platforms, must meet security standards. Contracts should include security requirements and audit rights.

3. Train All Staff: Security awareness training should be mandatory for all employees with system access, from pharmacists to customer service representatives.

4. Plan for Incidents: Every healthcare organization should have an incident response plan that covers breach notification, regulatory reporting, customer communication, and forensic investigation.

For Regulators

1. Establish Healthcare-Specific Security Standards: The DPDP Act provides a framework, but healthcare organizations may benefit from sector-specific guidance similar to HIPAA in the United States.

2. Enable Enforcement: Regulations without enforcement provide limited deterrent. Regulatory bodies should be resourced for investigation and penalty assessment.

3. Support Security Research: Encourage responsible vulnerability disclosure through legal safe harbors for security researchers acting in good faith.

For Consumers

1. Be Selective: Consider an organization's security reputation when choosing healthcare providers and pharmacies. Ask about security practices.

2. Minimize Data Sharing: Provide only necessary information. Question whether a service truly needs your complete personal details.

3. Monitor for Misuse: Watch for signs of identity theft or medical fraud. Review explanations of benefits from insurers for services you didn't receive.

4. Exercise Rights: Under the DPDP Act, Indian consumers have rights to access, correct, and delete their personal data. Exercise these rights to understand and control your information.

Conclusion: A Wake-Up Call for India's Digital Health Future

The DavaIndia Pharmacy security incident represents more than a single company's failure—it's a warning about the state of healthcare cybersecurity in one of the world's largest and fastest-growing digital health markets.

India is undergoing a remarkable digital transformation in healthcare. Telemedicine, e-pharmacies, digital health records, and health insurance technology are expanding access to care for hundreds of millions of people. This transformation brings tremendous benefits: improved access, lower costs, better coordination of care.

But digitization without security creates new risks. The sensitive nature of health information—its permanence, its potential for stigmatization, its value for fraud—demands security standards at least as rigorous as those applied to financial services.

The good news: this vulnerability was discovered by an ethical security researcher who reported it responsibly. The bad news: it existed for potentially eight months, and we can only hope no malicious actor found it first.

DavaIndia's response—eventual remediation but delayed confirmation and media silence—suggests an organization that treats security as an inconvenience rather than a core responsibility. As India's DPDP Act takes effect and penalties become real, this attitude will become increasingly costly.

For India's healthcare sector, the message is clear: security is not optional, it's not a cost center, and it's not someone else's problem. It's fundamental to patient trust, regulatory compliance, and sustainable business operations.

The prescriptions are clear. The question is whether the industry will take its medicine.

Key Takeaways

• DavaIndia Pharmacy, operated by Zota Healthcare and claiming to be India's largest private generic pharmacy chain with 2,300+ stores, left administrative APIs completely unauthenticated
• Security researcher Eaton Zveare discovered he could create super admin accounts without any authentication, gaining access to 17,000 customer orders and 883 store systems
• Customer health data exposed included names, contact information, addresses, and sensitive medication purchases
• Critical capabilities accessible included modifying prescription requirements, creating unlimited discount coupons, and altering product information
• Vulnerability existed since late 2024 and was fixed approximately one month after August 2025 discovery, but company took three months to confirm remediation to authorities
• India's DPDP Act 2023 and 2025 Rules establish breach notification requirements (72 hours) and penalties up to Rs 250 crore (~$29 million) for violations
• No evidence of malicious exploitation, but the extended exposure window makes definitive assessment impossible
• Healthcare sector continues to lag in cybersecurity despite handling among the most sensitive personal information

This article is based on the public disclosure by security researcher Eaton Zveare and reporting by TechCrunch. DavaIndia and Zota Healthcare did not respond to media requests for comment.