A serious cybersecurity lapse at All India Institute of Medical Sciences Deoghar has raised fresh concerns over data privacy and the security of India’s growing digital health infrastructure. A critical vulnerability in the institute’s digital systems reportedly allowed unauthenticated public access to sensitive patient records, exposing confidential medical information.
According to information reviewed by this publication, the flaw made it possible for anyone with a web browser to access patient data without any login or verification. The exposed records allegedly included patients’ full names, mobile numbers, diagnostic test reports, and detailed health profiles, significantly increasing the risk of identity theft, phishing, and social-engineering attacks.
Vulnerability Discovered, CERT-In Alerted
The issue was identified in mid-November 2025 by independent cybersecurity researcher Tushar Singh from Netrika Consulting India Pvt Ltd. ( a leading cyber security firm) who escalated the matter to Indian Computer Emergency Response Team (CERT-In). In his disclosure, Singh warned that the absence of basic authentication and access controls amounted to a serious breach of patient data privacy.
“This exposure involved personally identifiable information and medical data without any form of authorization. Such a lapse poses a grave threat to privacy, regulatory compliance, and the security of national health infrastructure,” Singh noted in his alert.
Legal and Trust Implications
Cybersecurity experts say the incident could potentially violate the Digital Personal Data Protection Act, 2023, which mandates strict safeguards for sensitive personal data, especially health information. A breach of this nature at a premier public healthcare institution risks undermining public trust in digital health platforms and highlights gaps in security-by-design practices.
Independent security researcher Harsh Verma described the incident as “deeply concerning,” stressing that even brief public exposure of healthcare data can have long-term consequences for affected individuals. He called for regular security audits and stronger accountability across public digital systems.
Vulnerability Mitigated
On January 7, 2026, CERT-In formally acknowledged the responsible disclosure and confirmed that the vulnerability had been remediated. The exposed data is no longer publicly accessible, according to the researcher.
While the immediate risk appears to have been contained, experts warn that the episode underscores the urgent need for continuous monitoring, penetration testing, and robust cybersecurity governance across India’s rapidly expanding digital healthcare ecosystem.
