BOOM

Trending Searches

    SUPPORT
    BOOM

    Trending News

      • Fact Check 
        • Fast Check
        • Politics
        • Business
        • Entertainment
        • Social
        • Sports
        • World
      • Law
      • Explainers
      • News 
        • All News
      • Decode 
        • Impact
        • Scamcheck
        • Life
        • Voices
      • Media Buddhi 
        • Digital Buddhi
        • Senior Citizens
        • Videos
      • Web Stories
      • BOOM Research
      • BOOM Labs
      • Deepfake Tracker
      • Videos 
        • Facts Neeti
      • Home-icon
        Home
      • About Us-icon
        About Us
      • Authors-icon
        Authors
      • Team-icon
        Team
      • Careers-icon
        Careers
      • Internship-icon
        Internship
      • Contact Us-icon
        Contact Us
      • Methodology-icon
        Methodology
      • Correction Policy-icon
        Correction Policy
      • Non-Partnership Policy-icon
        Non-Partnership Policy
      • Cookie Policy-icon
        Cookie Policy
      • Grievance Redressal-icon
        Grievance Redressal
      • Republishing Guidelines-icon
        Republishing Guidelines
      • Fact Check-icon
        Fact Check
        Fast Check
        Politics
        Business
        Entertainment
        Social
        Sports
        World
      • Law-icon
        Law
      • Explainers-icon
        Explainers
      • News-icon
        News
        All News
      • Decode-icon
        Decode
        Impact
        Scamcheck
        Life
        Voices
      • Media Buddhi-icon
        Media Buddhi
        Digital Buddhi
        Senior Citizens
        Videos
      • Web Stories-icon
        Web Stories
      • BOOM Research-icon
        BOOM Research
      • BOOM Labs-icon
        BOOM Labs
      • Deepfake Tracker-icon
        Deepfake Tracker
      • Videos-icon
        Videos
        Facts Neeti
      Trending Tags
      TRENDING
      • #Operation Sindoor
      • #Pahalgam Terror Attack
      • #Narendra Modi
      • #Rahul Gandhi
      • #Waqf Amendment Bill
      • #Arvind Kejriwal
      • #Deepfake
      • #Artificial Intelligence
      • Home
      • Decode
      • Hackers May Have Stolen Patient...
      Decode
      EXCLUSIVE

      Hackers May Have Stolen Patient Data from India’s Largest Hospital Chain

      The leaked files included Aadhaar, PAN, passports, vaccination reports, patient medical records, resumes of job applicants, payment gateway credentials, and backend source code.

      By -  Hera Rizwan |
      7 April 2025 3:01 PM IST
    • Boomlive
      Listen to this Article
      Hackers May Have Stolen Patient Data from India’s Largest Hospital Chain

      EXCLUSIVE: Apollo Hospitals Patient Data Exposed in Massive Breach

      • Apollo, which serves lakhs of patients, has its critical data exposed, affecting patients, staff, and applicants.
      • Leaked files included Aadhaar, PAN, passports, medical records, resumes, and internal login credentials.
      • Researchers uncovered SQL injection flaws, reverse shells, and unsecured URLs exposing live patient data.
      • Decode reached out to Apollo Hospitals for comment; the company has not responded so far.

      For security researchers Akshay and Viral, a casual look into a healthcare system’s security quickly turned into a major discovery. The duo uncovered a massive data leak within Apollo Hospitals, one of India’s largest hospital chains.

      The breach first came to their attention on January 9, when they found a zip file on one of Apollo’s subsidiary website. Realising its sensitivity, they immediately informed Apollo’s management, in a couple of hours, on January 10.

      The file was removed by February 1, but fearing that the data could have been accessed by bad actors, they escalated the issue to Indian - Computer Emergency Response Team (CERT-In) and National Critical Information Infrastructure Protection Centre (NCIIPC), urging further investigation.

      In March, they discovered another zip file—smaller in size yet still containing sensitive data, raising fresh concerns about ongoing security risks. It is unclear if it is Apollo or an attacker who is creating and deleting files on the server.

      With a presence across 70 hospitals, 400+ clinics, and 5,000+ pharmacies, Apollo serves lakhs of patients annually. The findings, shared exclusively with Decode, expose a severe data protection failure, potentially compromising the personal and medical records of lakhs of patients across Apollo’s network.

      To avoid further exploitation, Decode is not revealing the exact file name or URL, as the leak was still active when we wrote this story.

      Also Read:How a Security Flaw in EPFO’s System Leaked Pensioners' Data

      What Has Been Leaked?

      The exposed zip file contained a vast amount of highly sensitive information across different categories:

      Personal Identification Documents

      The file included scanned copies of important personal documents such as Work ID cards, PAN cards, Aadhaar cards, Passports and Student IDs. This type of data can be used for identity theft, fraud, or unauthorised access to services.

      Medical Records and Health Data

      The breach exposed patient medical reports, vaccination details, and credentials linked to patient IDs and several internal databases. This means private health information, including diagnoses, prescriptions, and treatments, could be misused or leaked publicly by an attacker.

      System Access and Security Credentials

      The leak also included critical system login details, which could have allowed hackers to break into Apollo’s digital infrastructure. This included:

      - Payment gateway credentials – could be exploited to manipulate financial transactions.

      - System email credentials – could allow unauthorized email access and phishing attacks.

      - Complete source code (backend and frontend) – exposing how Apollo’s systems work internally.

      - Database access credentials – providing full control over stored sensitive data.

      - System and database backups – containing historical patient and financial data.

      - SMS gateway credentials – which could be misused to send fraudulent messages.

      - Third-party service credentials (e.g., Truecaller) – posing risks to Apollo’s integrations with external platforms.

      Internal Business Data

      - Customer Relationship Management (CRM) credentials, which store details of patient interactions.

      - Web security firewall (WAF) configuration details, making it easier for attackers to bypass security defenses.

      Personal Information of Job Applicants

      Thousands of resumes of doctors and other prospective employees were also exposed, containing their names, contact details, educational backgrounds and work experience.

      This leak not only threatens patients' privacy but also puts employees and Apollo’s internal systems at risk.


      Exposed Apollo email credentials in code


      Also Read:DIY Fraud: How Fake Aadhaar And PAN Are Sold Like Fast Food

      How Attackers Could Access More Data

      Beyond the exposed zip file, researchers uncovered far more serious flaws in Apollo’s systems that could have allowed attackers to dig even deeper and access highly sensitive data. These vulnerabilities were identified by closely analysing the leaked information.

      One of the most alarming issues was the presence of SQL Injection (SQLi) vulnerabilities — a common but dangerous flaw in web applications. SQLi happens when a website does not properly filter user input before sending it to the database.

      This loophole allows attackers to enter malicious commands through everyday input fields like search bars or login forms, tricking the system into revealing or altering private data.


      Vulnerable code with SQL injection flaw

      In Apollo’s case, researchers found several website files containing poorly written database queries. These weaknesses could have enabled attackers to gain unauthorised access to patient records, internal credentials, and other confidential data.

      But the risks didn’t end there.

      The researchers also found signs of poor overall security hygiene. Some files hinted at the presence of reverse shells — a hacking method that allows attackers to establish a secret connection from the victim’s system back to their own, giving them remote control. This technique can let attackers maintain long-term access, even if the organisation believes it has secured its systems.

      What’s worse, weak authentication meant that parts of Apollo’s network could be accessed without even needing a password. This left the door wide open for intruders.

      Some parts of the leaked code also contained direct links to Apollo’s internal systems, which were publicly accessible over the internet. In other words, anyone with some technical knowledge could have stumbled upon them. In some cases, simply visiting certain URLs could directly extract and display live patient or hospital data from Apollo’s servers.


      Live patient data exposed on Apollo server

      This means that lakhs of patients—including those who had only visited for tests, consultations, or vaccinations—could have had their personal and medical records compromised. Even casual visitors to Apollo’s website might have unknowingly exposed their IP addresses or browsing behaviour.

      While the exposed zip file was eventually taken down temporarily, the broader vulnerabilities suggest that attackers may have already accessed and extracted sensitive data. In reality, the breach may be far more extensive than it initially appeared.

      Also Read:Aadhaar Authentication Now Open To Private Companies. Is It Safe?

      Who Is Behind The Leak?

      The researchers believe the attack to be the work of KillSec ransomware group, a known cybercriminal organisation that has targeted various sectors, including healthcare.

      Using Halcyon, a cybersecurity platform that tracks ransomware groups and their activities, they discovered that KillSec had attacked Apollo Hospitals in October 2024. The breached data they uncovered also dated back to the same period, reinforcing the link.

      KillSec is known for stealing sensitive information and threatening to publish or sell it unless a ransom is paid. Unlike some ransomware groups that focus on encrypting data to demand payment, KillSec often engages in double extortion—stealing data before deploying ransomware, giving them leverage even if the victim refuses to pay.

      Their attacks are part of a broader pattern of targeting critical infrastructure, with a particular focus on healthcare institutions, where stolen data can include not just financial details but also deeply personal medical records.

      Also Read:Explained: Who Exposed Data Of 3 Crore Star Health Customers?

      The Risks and Response Gap

      The large-scale exposure of personal and medical data from Apollo’s systems poses serious risks. As enumerated by the researchers, identity theft is a major concern, as leaked Aadhaar cards, PAN cards, and passports could be misused for fraudulent activities.

      Furthermore, the breach of medical records is also a severe privacy violation, potentially leading to distress and stigma for affected individuals. Additionally, cybercriminals can use leaked patient details for targeted phishing attacks, impersonating Apollo to trick people into revealing passwords or making payments.

      Financial risks are also high, with exposed payment gateway credentials opening the door to fraudulent transactions.

      Beyond individual risks, Apollo faces reputational damage. As the researchers pointed out, the healthcare company’s slow response to the breach could erode public trust, making patients hesitant to share personal details in the future.

      The security researchers, Akshay and Viral, had promptly reported the breach to Apollo Hospitals on January 10, just a few hours after discovering the exposed file. Despite the hospital likely removing the file weeks later on February 1, the researchers remained concerned that attackers might have already accessed the data since October 2024 or even earlier.

      To escalate the matter, they reached out to CERT-In and NCIIPC, urging them to take action. However, Apollo never responded and CERT-In assured that they have already reported to the concerned authority and will reply once Apollo confirms a fix.

      The researchers noted that more than 60 days had passed since their first attempt to alert Apollo—far beyond the industry standard for responsible disclosure. While non-critical security issues are typically addressed within this timeframe, breaches of this scale are usually addressed within hours by companies of similar stature.

      By rule, organisations are mandated to report specific types of cyber incidents to CERT-In within six hours of detection. They must provide detailed information, including the nature of the breach, systems affected, and any preliminary findings.

      Decode reached out to Apollo for a response on the breach, but they have not replied yet. The story will be updated if and when we receive a response.

      Also Read:APAAR ID: Is India Ready for a National Digital ID System for Students?

      Tags

      Data LeakData PrivacyApollo
      Read Full Article

      Next Story
      Our website is made possible by displaying online advertisements to our visitors.
      Please consider supporting us by disabling your ad blocker. Please reload after ad blocker is disabled.
      X

      Subscribe to BOOM Newsletters

      👉 No spam, no paywall — but verified insights.

      Please enter a Email Address
      Subscribe for free!

      Stay Ahead of Misinformation!

      Please enter a Email Address
      Subscribe Now🛡️ 100% Privacy Protected | No Spam, Just Facts
      By subscribing, you agree with the Terms & conditions and Privacy Policy connected to the offer

      Thank you for subscribing!

      You’re now part of the BOOM community.

      Or, Subscribe to receive latest news via email
      Subscribed Successfully...
      Copy HTMLHTML is copied!
      There's no data to copy!