For security researchers Akshay and Viral, a casual look into a healthcare system’s security quickly turned into a major discovery. The duo uncovered a massive data leak within Apollo Hospitals, one of India’s largest hospital chains.
The breach first came to their attention on January 9, when they found a zip file on one of Apollo’s subsidiary website. Realising its sensitivity, they immediately informed Apollo’s management, in a couple of hours, on January 10.
The file was removed by February 1, but fearing that the data could have been accessed by bad actors, they escalated the issue to Indian - Computer Emergency Response Team (CERT-In) and National Critical Information Infrastructure Protection Centre (NCIIPC), urging further investigation.
In March, they discovered another zip file—smaller in size yet still containing sensitive data, raising fresh concerns about ongoing security risks. It is unclear if it is Apollo or an attacker who is creating and deleting files on the server.
With a presence across 70 hospitals, 400+ clinics, and 5,000+ pharmacies, Apollo serves lakhs of patients annually. The findings, shared exclusively with Decode, expose a severe data protection failure, potentially compromising the personal and medical records of lakhs of patients across Apollo’s network.
To avoid further exploitation, Decode is not revealing the exact file name or URL, as the leak was still active when we wrote this story.
What Has Been Leaked?
The exposed zip file contained a vast amount of highly sensitive information across different categories:
Personal Identification Documents
The file included scanned copies of important personal documents such as Work ID cards, PAN cards, Aadhaar cards, Passports and Student IDs. This type of data can be used for identity theft, fraud, or unauthorised access to services.
Medical Records and Health Data
The breach exposed patient medical reports, vaccination details, and credentials linked to patient IDs and several internal databases. This means private health information, including diagnoses, prescriptions, and treatments, could be misused or leaked publicly by an attacker.
System Access and Security Credentials
The leak also included critical system login details, which could have allowed hackers to break into Apollo’s digital infrastructure. This included:
- Payment gateway credentials – could be exploited to manipulate financial transactions.
- System email credentials – could allow unauthorized email access and phishing attacks.
- Complete source code (backend and frontend) – exposing how Apollo’s systems work internally.
- Database access credentials – providing full control over stored sensitive data.
- System and database backups – containing historical patient and financial data.
- SMS gateway credentials – which could be misused to send fraudulent messages.
- Third-party service credentials (e.g., Truecaller) – posing risks to Apollo’s integrations with external platforms.
Internal Business Data
- Customer Relationship Management (CRM) credentials, which store details of patient interactions.
- Web security firewall (WAF) configuration details, making it easier for attackers to bypass security defenses.
Personal Information of Job Applicants
Thousands of resumes of doctors and other prospective employees were also exposed, containing their names, contact details, educational backgrounds and work experience.
This leak not only threatens patients' privacy but also puts employees and Apollo’s internal systems at risk.
Exposed Apollo email credentials in code
How Attackers Could Access More Data
Beyond the exposed zip file, researchers uncovered far more serious flaws in Apollo’s systems that could have allowed attackers to dig even deeper and access highly sensitive data. These vulnerabilities were identified by closely analysing the leaked information.
One of the most alarming issues was the presence of SQL Injection (SQLi) vulnerabilities — a common but dangerous flaw in web applications. SQLi happens when a website does not properly filter user input before sending it to the database.
This loophole allows attackers to enter malicious commands through everyday input fields like search bars or login forms, tricking the system into revealing or altering private data.
Vulnerable code with SQL injection flaw
In Apollo’s case, researchers found several website files containing poorly written database queries. These weaknesses could have enabled attackers to gain unauthorised access to patient records, internal credentials, and other confidential data.
But the risks didn’t end there.
The researchers also found signs of poor overall security hygiene. Some files hinted at the presence of reverse shells — a hacking method that allows attackers to establish a secret connection from the victim’s system back to their own, giving them remote control. This technique can let attackers maintain long-term access, even if the organisation believes it has secured its systems.
What’s worse, weak authentication meant that parts of Apollo’s network could be accessed without even needing a password. This left the door wide open for intruders.
Some parts of the leaked code also contained direct links to Apollo’s internal systems, which were publicly accessible over the internet. In other words, anyone with some technical knowledge could have stumbled upon them. In some cases, simply visiting certain URLs could directly extract and display live patient or hospital data from Apollo’s servers.
Live patient data exposed on Apollo server
This means that lakhs of patients—including those who had only visited for tests, consultations, or vaccinations—could have had their personal and medical records compromised. Even casual visitors to Apollo’s website might have unknowingly exposed their IP addresses or browsing behaviour.
While the exposed zip file was eventually taken down temporarily, the broader vulnerabilities suggest that attackers may have already accessed and extracted sensitive data. In reality, the breach may be far more extensive than it initially appeared.
Who Is Behind The Leak?
The researchers believe the attack to be the work of KillSec ransomware group, a known cybercriminal organisation that has targeted various sectors, including healthcare.
Using Halcyon, a cybersecurity platform that tracks ransomware groups and their activities, they discovered that KillSec had attacked Apollo Hospitals in October 2024. The breached data they uncovered also dated back to the same period, reinforcing the link.
KillSec is known for stealing sensitive information and threatening to publish or sell it unless a ransom is paid. Unlike some ransomware groups that focus on encrypting data to demand payment, KillSec often engages in double extortion—stealing data before deploying ransomware, giving them leverage even if the victim refuses to pay.
Their attacks are part of a broader pattern of targeting critical infrastructure, with a particular focus on healthcare institutions, where stolen data can include not just financial details but also deeply personal medical records.
The Risks and Response Gap
The large-scale exposure of personal and medical data from Apollo’s systems poses serious risks. As enumerated by the researchers, identity theft is a major concern, as leaked Aadhaar cards, PAN cards, and passports could be misused for fraudulent activities.
Furthermore, the breach of medical records is also a severe privacy violation, potentially leading to distress and stigma for affected individuals. Additionally, cybercriminals can use leaked patient details for targeted phishing attacks, impersonating Apollo to trick people into revealing passwords or making payments.
Financial risks are also high, with exposed payment gateway credentials opening the door to fraudulent transactions.
Beyond individual risks, Apollo faces reputational damage. As the researchers pointed out, the healthcare company’s slow response to the breach could erode public trust, making patients hesitant to share personal details in the future.
The security researchers, Akshay and Viral, had promptly reported the breach to Apollo Hospitals on January 10, just a few hours after discovering the exposed file. Despite the hospital likely removing the file weeks later on February 1, the researchers remained concerned that attackers might have already accessed the data since October 2024 or even earlier.
To escalate the matter, they reached out to CERT-In and NCIIPC, urging them to take action. However, Apollo never responded and CERT-In assured that they have already reported to the concerned authority and will reply once Apollo confirms a fix.
The researchers noted that more than 60 days had passed since their first attempt to alert Apollo—far beyond the industry standard for responsible disclosure. While non-critical security issues are typically addressed within this timeframe, breaches of this scale are usually addressed within hours by companies of similar stature.
By rule, organisations are mandated to report specific types of cyber incidents to CERT-In within six hours of detection. They must provide detailed information, including the nature of the breach, systems affected, and any preliminary findings.
Decode reached out to Apollo for a response on the breach, but they have not replied yet. The story will be updated if and when we receive a response.
