Is cloud storage safe for medical records in India? A 2026 guide
- Seht Health Team
- 5 days ago
- 6 min read
Cloud storage is safe for medical records in India when you use an app that meets four specific standards: end-to-end AES-256 encryption, compliance with India's Digital Personal Data Protection Act 2023 (DPDP Act), consent-based data sharing with no third-party data sale, and ABDM certification from India's National Health Authority. This guide explains exactly what to look for, what risks exist with generic cloud services like Google Drive, and how India's new data protection law changes the accountability framework for any app handling your health data.
For the complete guide to storing medical records digitally in India, read: store medical records digitally India (https://www.seht.in/post/store-medical-records-digitally-india-2026)
What you'll learn: • The 4 security standards that make cloud health storage safe in India • What India's DPDP Act 2023 means for your stored health records • Why Google Drive and generic cloud services are risky for health data • The specific risks of storing health records in generic cloud apps • How to verify whether a health records app is genuinely secure |
What makes cloud storage safe for medical records in India
Not all cloud storage is equal. The difference between a secure health records platform and a risky one comes down to four technical and legal standards:
Standard 1: AES-256 end-to-end encryption
AES-256 (Advanced Encryption Standard, 256-bit key) is the current gold standard for healthcare data encryption. It means your records are encrypted before they leave your device, during transmission, and while stored on servers. Even if a server were breached, encrypted data cannot be read without the decryption key. ABDM-certified health apps are required to implement AES-256 encryption. Seht uses this standard for all stored health data.
Standard 2: DPDP Act 2023 compliance
India's Digital Personal Data Protection Act 2023 is being rolled out in three phases: Phase 1 (November 2025) established the Data Protection Board of India. Phase 2 (November 2026) activates consent manager frameworks. Phase 3 (May 2027) activates all remaining compliance obligations including data breach notification requirements, data retention and erasure triggers, and security safeguard mandates. Any app storing Indian residents' health data must comply. Under DPDP, health data is treated with the highest sensitivity standards.
Standard 3: Consent-based data sharing, no third-party sale
Under the DPDP Act, personal health data can only be shared for the specific purpose for which it was collected, with explicit, informed consent. No app handling your health data may sell, share, or monetise it for advertising purposes. Apps that monetise through advertising (including generic services like Google) or that share data with third parties without explicit consent violate this standard.
Standard 4: ABDM certification
ABDM (Ayushman Bharat Digital Mission) certification from India's National Health Authority means the app has been verified for interoperability standards, consent architecture, and data protection requirements aligned with India's national digital health policy. ABDM-certified apps can also link to ABHA accounts for record syncing. ABDM certification is the clearest indicator that a health app meets India-specific standards.
Platform | Encryption | DPDP-compliant | ABDM certified | No third-party data use | Health-specific structure |
Seht | Yes (AES-256) | Yes | Yes | Yes | Yes, built for health records |
Google Drive | Yes (at rest) | Partially (Google ToS; GDPR-aligned, not DPDP) | No | No, advertising-supported model | No, generic file storage |
End-to-end for messages (not files at rest) | No, Meta data practices not DPDP-aligned | No | No, Meta uses metadata for advertising | No, messaging app, not a health platform | |
iCloud | Yes (at rest) | Partially (Apple ToS; GDPR-aligned, not DPDP) | No | Partially | No, generic file storage |
Email (Gmail, Outlook) | In transit only | No, not health-data specific | No | No, advertising-supported | No |
In simple terms: Cloud storage for medical records in India is safe when the app was built specifically for health data with AES-256 encryption, Indian law compliance (DPDP Act), no data selling, and ABDM certification. It is risky when you store health records in generic services like Google Drive or WhatsApp which are not designed for health data, are not DPDP-compliant for health-specific standards, and are monetized through data-adjacent advertising models. The health app is built for this job; the file folder is not. |
The risks of using generic cloud storage for medical records India
Google Drive: convenience without health-specific protection
Google Drive encrypts data at rest and in transit this is good. However: Google Drive is not DPDP Act compliant for health data specifically. It is an advertising-supported service, and Google's Terms of Service allow use of data for service improvement and advertising purposes. Health records stored in Drive have no health-specific structure (no medication lists, no allergy records, no emergency health card). Finding a specific document requires searching through generic file folders. In an emergency, there is no shareable health summary only folders of files.
WhatsApp: messaging app carrying clinical data
WhatsApp end-to-end encrypts messages but not media files at rest on Meta's servers. More critically: a WhatsApp 'medical records folder' is a series of messages in a chat, not an organised health record system. In May 2026, a Pune clinic was reported to the Data Protection Board of India after an MRI report was accidentally forwarded to a family WhatsApp group by a clinic staff member. The DPDP Act makes data fiduciaries (apps and companies handling your data) liable for breaches but WhatsApp's data practices are not aligned with the health-specific consent and purpose-limitation standards of India's DPDP Act.
Email (Gmail, Outlook, others): storage by accident
Many Indian patients receive lab reports by email and consider their inbox an 'archive'. Email encrypts data in transit but not consistently at rest in most consumer services. Email is not organized by family member, record type, or date in any health-relevant way. Email accounts are among the most commonly compromised digital accounts. A leaked email account exposes every health record ever received.
How to verify whether a health records app is genuinely secure in India
Before trusting any app with your family's health records, verify these five things:
Look for ABDM certification: Check whether the app is listed as an ABDM-certified partner on the National Health Authority website (nha.gov.in). Certification requires meeting technical and privacy standards set by the Government of India.
Read the privacy policy specifically for health data: Does the policy state explicitly that health data is not sold, shared, or used for advertising? If the privacy policy is vague or refers to 'service improvement' uses of your data, that is a risk flag.
Confirm AES-256 encryption: The app should specify the encryption standard in its security documentation or privacy policy. If this information is not available, ask the company directly.
Check for DPDP Act compliance statements: As of 2026, responsible health apps operating in India should reference DPDP Act 2023 compliance in their privacy documentation. The DPDP Act Phase 1 is already active.
Test the consent mechanism: Does the app ask for specific, granular consent before sharing any data with a third party? Blanket consent forms that approve all data uses are not DPDP-compliant.
For guidance on what to do after your records are safely stored and organized, read: How to organize medical records at home: India guide (https://www.seht.in/post/organise-medical-records-home-india)
When to review your health data security
After any major data breach news involving health apps in India check whether your app was affected and whether your credentials should be changed
After changing phones ensure records are properly transferred to the new device and the old device's app data is cleared
After sharing health records with a new provider review what access was granted and whether it should be revoked
Annually review which apps on your phone have access to your health data and revoke any permissions that are no longer needed
Emergency: If you believe your health data has been accessed without your consent file a complaint with the Data Protection Board of India at https://dpboard.gov.in and contact the app's data protection officer.
FAQs
Is cloud storage safe for medical records in India in 2026?
Cloud storage for medical records in India is safe in a dedicated, DPDP Act-compliant, ABDM-certified health records app with AES-256 encryption and no third-party data sharing. It is not adequately safe in generic services like Google Drive, WhatsApp, or email which lack health-specific security, DPDP compliance, and health-specific data structure. Seht meets all four safety standards for Indian health data storage.
What is the DPDP Act and how does it affect my medical records?
India's Digital Personal Data Protection Act 2023 (DPDP Act) establishes that your health data belongs to you, can only be used for the purpose it was collected, requires explicit informed consent for any sharing, and grants you rights of access, correction, and deletion. Phase 1 (Data Protection Board) is active from November 2025. Phase 3 full enforcement begins May 2027. Any app handling Indian health data must comply non-compliance risks penalties under the Act.
Is Google Drive safe for storing medical records in India?
Google Drive encrypts data at rest and in transit but is not purpose-built for health data. It is not specifically DPDP Act-compliant for health-sensitive standards, is advertising-supported (meaning your usage data informs Google's advertising ecosystem), and has no health-specific structure (no medication lists, emergency cards, or family profiles). It is better than paper but not adequate as a primary health records system for Indian families.
Comments