Serious Data Breach Exposes Sensitive Donor Information on AIIMS Portal
A significant security flaw in the AIIMS portal has put at risk the confidential details of organ and tissue donors associated with the Organ Retrieval Banking Organisation (ORBO). Discovered in mid-May 2025 by cybersecurity expert Aniket Tomar, this vulnerability allowed unauthorized access to critical personal and medical data of donors from various regions across India.
As a central hub for cadaver organ and tissue donation at the All India Institute of Medical Sciences (AIIMS) in New Delhi, ORBO’s role is crucial. It maintains a registry of brain-dead donors and coordinates transplants, making the leaked information especially sensitive and alarming.
Understanding the AIIMS Portal Vulnerability
Tomar’s findings indicate that the AIIMS portal’s vulnerability permitted unrestricted access to a comprehensive range of private data. This includes names, residential addresses, phone numbers, email addresses, blood groups, donated organs and tissues, donor ages, and witness information. Disturbingly, such information could be viewed without any form of authentication required.
“I was able to view several lakh donor entries. The data wasn’t just from Delhi—entries covered donors from multiple regions across India,” Tomar remarked in an interview with The Hindu. His assertions highlight the nationwide implications of this data breach, revealing a significant compromise of trust in a reputed health institution.
The most concerning pieces of data exposed included:
- Personally Identifiable Information (PII): Full names, mobile numbers, email addresses, and residential addresses.
- Medical Information: Details pertaining to donated organs, blood types, and donor ages.
- Witness Information: Contact and identification details of individuals who witnessed the donation process.
Response from CERT and Remediation Efforts
Upon discovering the issue, Tomar promptly alerted the Computer Emergency Response Team (CERT-IN), providing a detailed Proof of Concept (PoC) and recommendations for remediation. He emphasized that this breach not only compromised personal information but also violated the Digital Personal Data Protection (DPDP) Act, 2023.
“This is more than just a technical issue—it’s an ethical lapse. It impacts organ donors who expect the highest levels of confidentiality and data stewardship. Public trust in digital health platforms must not be taken for granted,” Tomar cautioned in his correspondence with CERT.
Following Tomar’s disclosure, CERT confirmed the vulnerability and took immediate steps to collaborate with AIIMS for a remedy. By June 18, 2025, the security flaw was successfully addressed, effectively blocking public access to sensitive data. CERT publicly acknowledged Tomar for his responsible reporting of the breach.
Call for Enhanced Security Measures
In light of these events, Tomar urged AIIMS and other governmental institutions to conduct thorough audits of their digital health platforms to identify similar vulnerabilities and ensure prompt notification to affected individuals, as mandated by the DPDP Act. He underscored the importance of safeguarding personally identifiable information, particularly within the healthcare sector, to prevent devastating breaches in the future.
