Why I’m Choosing to Steer Clear of Apollo Hospitals: A Personal Cautionary Tale

I recently needed a straightforward medical quote for a minor procedure. Nothing urgent, nothing complex, just an estimate to help me plan. I turned to Apollo Hospitals, one of India’s best-known healthcare brands, with a network spanning dozens of cities and a reputation for catering to international patients. What should have been a five-minute email exchange turned into a frustrating loop of automated replies insisting I “forgot to upload my passport.” No passport, no quote. Simple as that.

At first, I thought it was a glitch. Then I wondered if it was a poorly designed form for medical tourists. But the more I dug, the less it felt like an oversight and the more it felt like a red flag, especially when layered against Apollo’s documented history of data security incidents. This isn’t about fearmongering. It’s about informed choice. And after what I’ve learned, I’ve decided Apollo isn’t a risk I’m willing to take with my personal information. Here’s why.

My Experience: When a Quote Requires a Passport

I filled out Apollo’s online inquiry form with the basics: my name, email, phone number, a brief description of the procedure, and attached medical reports. Standard stuff. Within minutes, I received an automated response:

“Thank you for your inquiry. Please upload a clear copy of your passport to proceed with your treatment cost estimate.”

No explanation. No option to proceed without it. No human follow-up.

I replied, clarifying that I only wanted a ballpark figure and had no intention of traveling or booking yet. Another autoresponder. Same message.

For context: I’ve requested quotes from other major hospital chains and standalone clinics in India and abroad. None demanded ID upfront. Some asked for medical history. A few wanted a phone call. But a passport scan before even discussing cost? That’s a first.

A Pattern of Security Incidents: The Facts

Apollo Hospitals has faced multiple publicly reported data security events in recent years. These aren’t rumors, they’ve been documented by cybersecurity researchers, ethical hackers, and media outlets. Here’s a factual timeline:

  • 2018: A vulnerability in Apollo’s online appointment portal (Ask Apollo) exposed personal details of over one million users, including names, phone numbers, and appointment history. An ethical hacker reported it privately, but Apollo initially did not respond.
  • 2021: A software update from third-party vendor Kaseya triggered a network-wide system crash across Apollo facilities. While no data loss was confirmed, the incident disrupted operations and raised questions about supply chain security. Apollo filed a police complaint.
  • October 2024: The ransomware group Kill Security (aka KillSec) claimed responsibility for breaching Apollo’s systems. They alleged they stole sensitive patient data, including full names, medical diagnoses, Aadhaar numbers, PAN cards, passport scans, vaccination records, payment details, and internal source code. The group threatened to publish the data unless a ransom was paid. Samples were reportedly shared on dark web forums.
  • April 2025: Security researchers discovered an unsecured zip file on an Apollo subsidiary website containing medical records, internal credentials, and personal data of at least 94 individuals (including 58 third-party patients). The file reportedly stemmed from the 2024 breach. Despite being notified in January 2025, the exposure remained live for weeks.

These incidents are not isolated. India’s healthcare sector saw 1.9 million cyberattacks in 2022 alone, with hospitals increasingly targeted due to the high value of medical data on the black market.

Apollo has stated it uses encryption, access controls, and complies with India’s IT Act and Digital Personal Data Protection (DPDP) Act 2023. But compliance doesn’t equal immunity. And history shows that when breaches occur, the fallout can be severe.

What Could Go Wrong? The Real Risks of a Data Leak

Let’s be clear: a stolen passport scan isn’t just an inconvenience. When combined with medical history, it becomes a goldmine for identity theft, fraud, and blackmail. Here are some realistic scenarios, none far-fetched:

  1. Identity Theft & Financial Fraud
    A passport contains your full name, photo, date of birth, nationality, and passport number. Paired with an address or phone number (easily obtained), criminals can open bank accounts, apply for loans, or file fake tax returns in your name.
  2. Medical Identity Theft
    Stolen health records can be used to purchase prescription drugs, file fraudulent insurance claims, or even receive treatment under your name, potentially altering your real medical file with false allergies, conditions, or procedures.
  3. Blackmail or Extortion
    Sensitive diagnoses, mental health issues, STDs, fertility treatments, or genetic conditions, can be weaponized. We’ve seen ransomware groups threaten to contact family members or employers with embarrassing medical details.
  4. Travel & Visa Fraud
    A forged passport (using your scanned copy) could be used for illegal border crossings, money laundering, or terrorist watchlist manipulation. You might face travel bans or interrogations at immigration, through no fault of your own.
  5. Dark Web Sales
    Complete medical + ID dossiers sell for $1,000 or more per record. Once leaked, your data circulates indefinitely. Monitoring services like Have I Been Pwned? can alert you, but they can’t erase the exposure.

These aren’t hypotheticals. The U.S. Federal Trade Commission reports that medical identity theft affects hundreds of thousands annually. In India, Aadhaar-PAN leaks have fueled tax fraud rings. A passport in the wrong hands is a master key.

Apollo’s Privacy Policy: Fine Print, Real Limits

Apollo does have a privacy policy, available on their website and updated to reflect India’s DPDP Act. It states:

  • They collect only “necessary” personal data.
  • You consent by using their services.
  • Data may be shared with affiliates, doctors, and payment processors.
  • They’re not liable for breaches beyond their control.

But here’s the catch: “necessary” is self-defined. If their system labels a passport as required for a quote, they can claim it’s essential, even if competitors don’t. And while they promise encryption, no hospital can guarantee 100% security. The 2024 ransomware attack proved that.

You can request data deletion, but only after services are rendered. During the quote phase? You’re already in the system.

Why I’m Choosing to Look Elsewhere

This isn’t about denying Apollo’s clinical expertise. They have skilled doctors, modern facilities, and a long track record. But healthcare isn’t just about treatment, it’s about trust.

When a hospital demands sensitive ID for a basic estimate, especially after multiple breaches, it signals a culture that prioritizes process over privacy. I don’t want my passport sitting in a database that’s been ransomed once and left exposed for months afterward.

I value my data. I value control. And I believe patients should be able to inquire about care without surrendering identity documents on day one.

Final Thoughts: Your Data, Your Choice

I’m not telling anyone to boycott Apollo. That’s not my place. But I am sharing my experience and my reasoning so others can decide for themselves.

If you’re comfortable uploading your passport for a quote, knowing the breach history, that’s your call. For me, the risk outweighs the reward. One data leak could haunt me for years. One quote isn’t worth that.

Healthcare should empower patients, not expose them. Until Apollo revises its data collection practices and demonstrates stronger post-breach accountability, I’ll be taking my inquiries, and my trust, elsewhere.

Word count: 1,008
Opinions reflect the author’s personal experience and judgment.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *