AIIMS Portal Vulnerability Exposed Sensitive Donor Data

pA critical vulnerability in the AIIMS portal exposed highly sensitive data of voluntary organ and tissue donors registered with the Organ Retrieval Banking Organisation ORBO The AIIMS portal vulnerability allowed unauthorized access to personally identifiable and medical information of donors across India This vulnerability was discovered in midMay 2025 by independent cybersecurity researcher Aniket Tomar ORBO is a key facility of the All India Institute of Medical Sciences AIIMS New Delhi ppThe AIIMS portal vulnerability if left unpatched had the potential to severely undermine data privacy public trust and the security of the national digital health infrastructure ppORBO as the nodal body for cadaver organ and tissue donation activities at AIIMS maintains a brain death donor registry and coordinates transplants making the exposed data particularly sensitive ppAccording to Tomar his investigation revealed that the vulnerability in the AIIMS portal provided unrestricted access to a vast amount of private data including full names residential addresses phone numbers email addresses blood groups donated organs tissues donor age and even witness information This data could be accessed without any form of authentication ppI was able to view several lakh donor entries The data wasnt just from Delhientries covered donors from multiple regions across India Tomar told The Hindu The scope of the exposure points to a nationwide data breach affecting individuals who placed their trust in a reputed health institution ppAmong the most critical data fields exposed were ppTomar promptly reported the issue to the Computer Emergency Response Team CERTIN with a detailed Proof of Concept PoC and recommendations for fixing the flaw In his email he stressed that the breach not only compromised personal information but also violated the Digital Personal Data Protection DPDP Act 2023 ppThis is more than just a technical issueits an ethical lapse It impacts organ donors who expect the highest levels of confidentiality and data stewardship Public trust in digital health platforms must not be taken for granted Tomar warned in his communication with CERT ppFollowing Tomars disclosure CERT acknowledged the issue and worked with AIIMS to resolve the flaw By June 18 2025 the vulnerability was successfully mitigated and public access to sensitive data was blocked CERT officially thanked Tomar for his responsible disclosure ppTomar urged AIIMS and other government bodies to audit their digital health platforms for similar vulnerabilities and to promptly notify affected individuals as required by the DPDP Act He stressed that personally identifiable information should never be exposed on publicfacing systems particularly in healthcare pp1 Trending Cybersecurity News and MagazineppThe Cyber Express is a handbook for all stakeholders of the internet that provides information security professionals with the latest news updates and knowledge they need to combat cyber threatspp ppFor editorial queries email protectedppFor marketing and Sales email protectedpp ppWere remote friendly with office locations around the worldppSan Francisco Atlanta Rome
Dubai Mumbai Bangalore Hyderabad  Singapore Jakarta Sydney and Melbournepp ppHeadquartersppThe Cyber Express LLC
10080 North Wolfe Road Suite SW3200 Cupertino CA US 95014pp ppIndia OfficeppCyber Express Media Network
HD021 4th Floor C Wing Building No4 Nesco IT Park WE Highway Goregaon East Mumbai Maharashtra India 4000063pp 2025 The Cyber Express Cybersecurity News and Magazine ppLogin to your account belowpp

pp

pp

Remember Me
pp



ppPlease enter your username or email address to reset your passwordpp

pp



pp

pp
Select Visibility PublicPrivate pp 2025 The Cyber Express Cybersecurity News and Magazinep