Imagine you file a health insurance claim with your insurer. You’ve been upfront with your pre-existing diseases (PEDs) and have submitted all the necessary hospital documents, only to discover that your claim got denied because your insurer went behind your back and checked your Google timeline, which showed that you were not present in the hospital when you said you were for treatment.
Doesn’t this sound invasive, maybe even illegal? That’s exactly what Vallabh Motka experienced when his claim was rejected due to “discrepancies from the insured’s statement to the verified Google timeline, as per the insured statement. As per GTL (Google Timeline), the hospital location was not seen in the patient’s Google map during the patient’s hospitalisation, even when his phone was with him during hospitalisation”, as per the judgment
Can insurance companies legally access our private digital data, such as our Google timelines, to verify health insurance-related claims? ET Wealth Online spoke to multiple experts to find out the truth.
What happened?
Vallabh Motka had purchased a Rs 6.5 lakh mediclaim policy from Go Digit General Insurance, which was due to expire on February 21, 2025. Motka was admitted to Arham Hospital in Silvassa on 11th September 2024 on account of viral pneumonia. He was subsequently discharged on September 14th.
When he submitted a claim of Rs 48,251, it was rejected by Go Digit on account of “mismatches in the insured’s Google timeline”.
In other words, a key reason Motka’s claim got turned down by Digit was that they discovered that the hospital’s location wasn’t recorded on those dates on his Google timeline. This means that on the days he said he was admitted to the hospital, his Google timeline did not show the hospital’s location.
The policyholder escalated his complaint to the consumer forum, where he finally got relief with the forum directing the insurer to pay the full claim amount of Rs 48,251.
What is Go Digit Insurance’s stand on this matter?
According to the company’s official spokesperson, the Google timeline data from the aggrieved party was acquired with proper consent. However, despite presenting all facts, the Forum dismissed Go Digit’s claim based on the doctor’s certificate provided by Motka. “The statement that a health insurance claim was rejected by us solely due to a mismatch in the Google Timeline of the insured is incorrect. Following an initial review, which indicated discrepancies in the submitted documents and a break in hospitalization, we initiated an investigation”, they said.
“This was conducted by an investigating agency empanelled by the company. The findings revealed multiple inconsistencies, including the patient’s presence for the entire hospital duration, discrepancies in the submitted bills and hospital records, inflated and inconsistent treatment details, and a mismatch in the Google Timeline (obtained with due consent). These factors collectively led to the repudiation of the claim”, the spokesperson highlighted.
“However, we respect the forum’s decision and will take further steps, they added.
Is accessing a policyholder’s private digital information allowed by IRDAI?
Digit Insurance claims that it got the information about Motka’s Google timeline with due consent, but Motka’s lawyer, AN Desai, who represented him in the Consumer Forum, has stated in various media reports that investigators of some insurance companies trick patients into giving them access to their phones to look at their Google location history.
As Alay Razvi, Managing Partner, Accord Juris, says, “Insurance companies cannot legally access Google location history of the policyholder to assess or reject health insurance claims, without their explicit and informed consent.
There is no regulation under IRDAI or any Indian law that mandates or permits insurers to demand or rely on Google Maps location data as conclusive evidence. Such use may be challenged as a violation of privacy under Article 21 of the Constitution and the Digital Personal Data Protection (DPDP) Act, 2023.
He further explains that IRDAI’s current regulations on health insurance claims (IRDAI Health Insurance Regulations, 2016) do not authorise or mention the use of geolocation or mobile tracking for claim verification. “Claims must be evaluated based on standard evidence such as hospital records, discharge summaries, and doctor certificates, not digital surveillance”, he adds. And even if such data is collected, it cannot override medical documentation while making claim-related decisions.
Moreover, according to Section 63 of the Bharatiya Sakshya Adhiniyam, any electronic evidence is admissible only if it is accompanied by a certificate of authenticity signed by the device controller. In the case of Vallabh Motka, Digit Insurance relied on raw Google Timeline data without such certification. This is why the forum rightfully held that “unless Google officials personally verify the data in court, the Timeline holds no legal validity.”
Adds Kunal Sharma, Founder & Managing Partner, Taraksh Lawyers & Consultants, “for a rejection based on location data to be valid, insurers must: (a) include explicit authorisation in policy terms for using such data, (b) obtain informed consent as per IRDAI Regulation 2024 and the DPDP Act, and (c) prove the discrepancy constitutes material misrepresentation or fraud under the Insurance Act.”
IRDAI laws are silent on this matter
However, Shryeshth Ramesh Sharma, Senior Partner, SKV Law Offices, has a different take. He points out that the IRDAI’s Protection of Policy-holders’ Interests Regulations 2017 doesn’t clearly state whether an insurer or its investigator can ask for access to a customer’s live GPS feed or Google Timeline. Essentially, it doesn’t say anything about tracking Google timelines or other digital data for verifying claims, leaving an ambiguous yet vast playfield for insurers and their investigators.
“Investigators are free to gather information under Section 33 of the Insurance Act, but only ‘books of account, registers and other documents’ have to be produced on demand. While it lets an insurer open a claim investigation, it imposes a 30-day deadline (extendable to 45 days) for completing that exercise; it is silent on compelled smartphone tracking”.
Sharma agrees, mentioning that in the absence of specific provisions in the IRDAI Regulation 2024 or other guidelines allowing the use of location data for processing claims, these practices are not typical, unless they have been explicitly outlined in the policy terms and conditions, and the policyholder has given his consent when the policy was issued or when a claim was submitted.
So, while this action is not exactly standard, it does fall in a regulatorily grey zone, which could leave more policyholders vulnerable to similar incidents in the future.
What digital data are insurers legally allowed to access or can rely on for claim decisions?
However, this does not imply that insurers are barred from legally accessing any digital data points associated with the policyholder for claim verification. They can obtain information from hospital information systems like admission logs, EMR (electronic medical record) extracts and CCTV time-stamps, provided they follow the proper procedures and obtain the necessary permissions.
Even wearable-device telemetry, including heart-rate or step-count data, can be legally collected by an insurer, but only if the policy explicitly states this and the customer agrees. Apart from this, pharmacy e-bills, credit-card swipes or UPI records can be used to confirm the purchase of prescribed drugs, but again, this requires consent.
However, experts point out that publicly available content from social media, including publicly visible posts, can be collected without consent. Insurers cannot statutorily demand information like live GPS feeds, call-detail records, e-mail archives or private chats, as these do not fall under the “minimum information” criteria set by the IRDAI (Minimum Information Required for Investigation and Inspection) Regulations 2020.
