For security analysts Akshay and Viral, a casual check of a healthcare system's security quickly turned into a huge finding. The duo discovered a major data leak at Apollo Hospitals, one of India's leading hospital networks.
The breach first came to their attention on January 9, when they discovered a zip file on one of Apollo's subsidiary websites. Recognising the sensitivity, they notified Apollo's management within a few hours on January 10.
The file was erased by February 1, but they raised the issue with the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC), urging further investigation.
In March, they uncovered another zip file, which was smaller in size but still included sensitive material, raising new concerns about ongoing security threats. It remains unknown whether Apollo or an intruder is adding and deleting files from the server.
The leaked data include scanned copies of critical personal documents such as work identification cards, PAN cards, Aadhaar cards, passports, and student IDs. This type of data can be used to commit identity theft, fraud, or illegal access to services.
Additionally, the breach exposed patient medical records, immunisation information, and credentials associated with patient IDs and many internal databases. This means that an attacker could misuse or publicly disclose confidential health information, such as diagnosis, prescriptions, and treatments.
Who is behind the leak?
The experts suspect the attack was carried out by the KillSec ransomware organisation, a well-known cybercriminal outfit that has attacked a variety of sectors, including healthcare.
Using Halcyon, a cybersecurity platform that tracks ransomware gangs and its actions, they learnt that KillSec targeted Apollo Hospitals in October 2024. The compromised data they discovered also dated back to that time period, establishing the connection.
KillSec is notorious for stealing sensitive data and threatening to publish or sell it unless a ransom is paid. Unlike some ransomware gangs who encrypt data to demand payment, KillSec frequently uses double extortion—stealing data before spreading ransomware, giving them leverage even if the victim refuses to pay.
No action taken
The researchers highlighted that well over 60 days had passed since their initial attempt to notify Apollo, far exceeding the industry threshold for responsible disclosure. While non-critical security issues are routinely addressed within this timeframe, breaches of this magnitude are usually resolved within hours by firms of comparable size.
Organisations must report particular types of cyber incidents to CERT-In within six hours of detection. They must submit accurate data, such as the nature of the breach, the systems involved, and any preliminary results.