Healthcare Infrastructure

Hospital networks, AIIMS ransomware, pharmaceutical IP, and healthcare data breaches

40M
AIIMS Records
Nov 2022 ransomware
500M
PM-JAY Beneficiaries
1.3B
CoWIN Records
Vaccination data
31M
Star Health
Records exposed
14
Days Downtime
AIIMS attack duration
200 Cr
Ransom Demand
AIIMS attack
5000+
AIIMS Beds
Premier institution
UNC4540
AIIMS Attribution
Chinese state-sponsored

01 Breach Incident & Attribution Data

Healthcare Breach Incident Table

IncidentDateRecordsAttributionConfidenceAttack Vector
AIIMS DelhiNov 202240MUNC4540 (Chinese)HIGHPhishing + VPN Exploit
CoWINJun 20231300MUnknown/CriminalCONFIRMEDAPI Enumeration
Star HealthOct 202431MInsider + ExternalCONFIRMEDData Export Abuse
Dr. Reddy'sOct 20205MLazarus Group (North Korea)HIGHRansomware
Tamil Nadu HospitalsDec 20220MUnknown/CriminalCONFIRMEDRansomware
LupinSep 20212MUnknown RansomwareCONFIRMEDCredential Compromise
Apollo (cumulative)2020-202310MMultipleCONFIRMEDVarious
PM-JAY2023-2024500MN/ARISKDistributed Attack Surface
Total Documented Compromised: 1.37+ Billion Records

Threat Actor Attribution Matrix

UNC4540/Worn in Paris

AIIMS, Pharma R&D

HIGH
TTPs

Phishing, VPN Exploit, Custom Backdoors

Gap Exploited

No CISO, No Segmentation

Lazarus Group

Dr. Reddy's, Vaccines

HIGH
TTPs

Ransomware, Data Exfiltration

Gap Exploited

Perimeter Vulnerabilities

Transparent Tribe

PM-JAY, Hospitals

MEDIUM
TTPs

Healthcare-themed Phishing

Gap Exploited

Small Hospital Security

APT41

Pharma Formulation IP

HIGH
TTPs

Spear-phishing, Supply Chain

Gap Exploited

CRO Security

Criminal RaaS

All Hospitals

CONFIRMED
TTPs

LockBit, Ransomware commoditization

Gap Exploited

Zero Security Controls

Insider Threats

Star Health Type

CONFIRMED
TTPs

Database Access, Data Sale

Gap Exploited

No Insider Threat Program

Dark Web Data Pricing Sheet

Data TypePrice Range (INR)VolumeRisk Level
Basic Demographics₹100-₹300HighMedium
Insurance Policy Data₹300-₹800MediumHigh
Lab Results + Diagnostics₹500-₹1,500MediumHigh
Full Medical History₹1,500-₹5,000LowCritical
HIV Status + Linked Data₹3,000-₹8,000LowCritical
Mental Health Records₹2,000-₹6,000LowCritical
Monetization: Insurance Fraud, Prescription Drug Diversion, Identity Theft, Blackmail/Extortion

Medical Device Risk Matrix

MRI/CT Scanners

CRITICAL

GE Signa, Philips, Siemens

OS Support

53%+ Unsupported

Exploitability

High

Infusion Pumps

CRITICAL

Medtronic, BD Alaris

OS Support

Legacy OS Common

Exploitability

Critical

Pacemaker Programmers

CRITICAL

Medtronic

OS Support

Unpatchable

Exploitability

Life-threatening

Patient Monitors

HIGH

Philips IntelliVue, GE CARESCAPE

OS Support

Varying

Exploitability

High

Anesthesia Machines

HIGH

GE Aespire, Drager

OS Support

2023 FDA Recall

Exploitability

Confirmed

PACS Systems

HIGH

Medical Imaging Storage

OS Support

Win Server 2008/2012

Exploitability

High

CRITICAL - Life-threatening
HIGH - Operational Impact

02 Records Compromised & Incident Timeline

Cumulative Records Compromised (Millions)
Increase
Decrease
Total
Healthcare Incident Timeline

PM-JAY Integration Points

Empaneled Hospitals

HIGH

Attack surface for lateral movement

32,403

State Servers

CRITICAL

Inferior security feeding national platform

28

Integration APIs

HIGH

Never subjected to security assessment

24,000

Data Centers

MEDIUM

Centralized NHA architecture

5

Field Workers

HIGH

Endpoint attack surface

50,000
500M+ beneficiary records at risk via distributed attack surface

Hospital Security Maturity Comparison

Corporate
65%
AIIMS-like
33%
District
18%
Mid-Tier
25%
Primary
8%

03 Vulnerability & Activity Heatmaps

Breach Severity by State
Delhi
Maharashtra
Karnataka
Telangana
Tamil Nadu
Gujarat
West Bengal
UP
Delhi
95
0
0
0
0
0
0
0
Maharashtra
0
60
0
0
0
0
0
0
Karnataka
0
0
55
0
0
0
0
0
Telangana
0
0
0
50
0
0
0
0
Tamil Nadu
0
0
0
0
45
0
0
0
Gujarat
0
0
0
0
0
40
0
0
West Bengal
0
0
0
0
0
0
35
0
UP
0
0
0
0
0
0
0
30
0
100
Threat Actor Activity Heat (Intensity)
Q1 2022
Q2 2022
Q3 2022
Q4 2022
Q1 2023
Q2 2023
Q3 2023
Q4 2023
Q1 2024
Q2 2024
Q3 2024
Q4 2024
Q1 2022
30
0
0
0
0
0
0
0
0
0
0
0
Q2 2022
0
70
0
0
0
0
0
0
0
0
0
0
Q3 2022
0
0
95
0
0
0
0
0
0
0
0
0
Q4 2022
0
0
0
80
0
0
0
0
0
0
0
0
Q1 2023
0
0
0
0
60
0
0
0
0
0
0
0
Q2 2023
0
0
0
0
0
40
0
0
0
0
0
0
Q3 2023
0
0
0
0
0
0
45
0
0
0
0
0
Q4 2023
0
0
0
0
0
0
0
50
0
0
0
0
Q1 2024
0
0
0
0
0
0
0
0
55
0
0
0
Q2 2024
0
0
0
0
0
0
0
0
0
60
0
0
Q3 2024
0
0
0
0
0
0
0
0
0
0
65
0
Q4 2024
0
0
0
0
0
0
0
0
0
0
0
70
0
100
Medical Device Vulnerability Index
MRI/CT
Infusion Pumps
Patient Monitors
Anesthesia
Pacemakers
PACS Systems
MRI/CT
85
0
0
0
0
0
Infusion Pumps
0
70
0
0
0
0
Patient Monitors
0
0
60
0
0
0
Anesthesia
0
0
0
75
0
0
Pacemakers
0
0
0
0
95
0
PACS Systems
0
0
0
0
0
90
0
100
Healthcare Data Dark Web Availability
Demographics
Insurance
Diagnostics
Medical History
HIV Status
Mental Health
Demographics
90
0
0
0
0
0
Insurance
0
85
0
0
0
0
Diagnostics
0
0
70
0
0
0
Medical History
0
0
0
60
0
0
HIV Status
0
0
0
0
40
0
Mental Health
0
0
0
0
0
45
0
100

04 Architecture & Flow Diagrams

PM-JAY Data Flow Architecture
Data FlowState DataAggregationAuthLinkageUpdatesNHA CentralSIS LayerState Servers (28)Hospitals (32,403)GSTNAadhaar AuthField Workers
Primary
Secondary
External
AIIMS Network Topology (Post-Breach Analysis)
PhishingLog4ShellLateralSpreadOT AccessDestroyEHR AccessInternetFortinet VPNPerimeter FWAdmin NetworkClinical SystemsOT/Medical DevicesBackup SystemsEHS Server
Primary
Secondary
External
ABDM/ABHA Linkage Architecture
LinkLinksAccessSourceClaimsSchemesAadhaarABHA (270M+)Health RecordsPHR AppsHospitalsInsurersGovt Schemes
Primary
Secondary
External
Pharmaceutical Supply Chain
IP FlowTrialsInputsSupplyLogisticsDispenseR&D LabsManufacturingDistributionPharmacyPatientCROsAPI Suppliers
Primary
Secondary
External
Medical Device Vendor Access Model
ConnectedTelemetryAccessData FlowConvergedUnmonitoredHospital NetworkMedical DevicesVendor CloudRemote SupportEHR/EMROT Systems
Primary
Secondary
External
Insider Threat Flow (Star Health)
AccessQuerySaleDistributionUseInsider (Executive)Database AccessData ExportTelegramCriminal BuyersInsurance Fraud
Primary
Secondary
External

05 Threat Actor Targeting Map

Threat Actor Targeting Map
TargetsTargetsTargetsTargetsTargetsTargetsBreachPotentialChinese StateNorth KoreaPakistan APTCriminal RaaSInsiderAIIMSPM-JAYPharma IPStar HealthDevices
Primary
Secondary
External

Breach Records by Sector (Millions)

Breach Cause Distribution

Phishing
Insider Threat
Vulnerability
Third-Party
Misconfiguration
Security Investment vs Breach Likelihood
AIIMS Restoration Timeline (Days from Attack)
Q1 0Q2 7Q3 14Q4 21Q 28
Initial Detection
100%
Incident Response
100%
Network Isolation
100%
Backup Assessment
100%
System Restoration
85%
Security Hardening
40%
Full Recovery
0%
Post-Incident Review
0%
Completed
In Progress
Planned
Delayed

Security Maturity by Tier

65%
Corporate Chains
33%
AIIMS-like
18%
District Hospitals
8%
PHCs

Missing Controls Assessment

CategoryControlStatusEvidence
PreventionDedicated CISOABSENTAIIMS had none
PreventionNetwork SegmentationABSENTFlat network at AIIMS
PreventionVulnerability ManagementABSENTUnpatched Fortinet VPN
PreventionBackup IsolationABSENTDestroyed during dwell
PreventionMFA / PAMABSENTLupin credential compromise
PreventionSecurity AwarenessABSENTPhishing in all state-sponsored
PreventionOT/IT SeparationABSENTLegacy devices on general network
PreventionInsider Threat ProgramABSENTStar Health executive sold data
DetectionSecurity Monitoring/SOCABSENTNo detection during 14-day dwell
DetectionThreat HuntingABSENTActive intrusion undetected
DetectionAccess Analytics/DLPABSENT31M Star Health exported unnoticed
ResponseIncident Response PlanABSENTAd hoc AIIMS response
ResponseForensic CapabilityABSENT14-day restoration reflects paralysis
RegulatoryMandatory Breach NotificationABSENTNo requirement
RegulatoryMin Security StandardsABSENTNone defined for healthcare

Regulatory Status Comparison

Regulatory ElementDISHA (Proposed)DPDP Act 2023Healthcare-Specific
Health Data ProtectionProposedGeneral FrameworkLacking
Consent RequirementsProposedGeneral ConsentNot Specified
Breach NotificationProposedLimitedNot Defined
Patient RightsProposedGeneralNot Detailed
Min Security StandardsProposedNoneNot Defined
Enforcement PenaltiesProposedCivil RemediesNot Sector-Specific
Mandatory TestingN/AN/ANOT REQUIRED
Device InventoryN/AN/ANot Mandated
DISHA not enacted; DPDP Act 2023 provides general framework without healthcare-specific rules

AIIMS Attack - System Availability

Healthcare Ransomware Trend

Healthcare Data Breach Impact

Healthcare Security Score

Threat Assessment

CRITICAL
Healthcare Threat Level
Critical: 70%
High: 20%
Medium: 7%
Low: 3%

Pharmaceutical Targeting

APT41 Targeting
Generic drug development data, clinical trials, manufacturing processes
State-Sponsored Espionage
Premium value in commercial and intelligence markets
Research Data Exfiltration
Targeting biotech, vaccine research, proprietary formulations

Case Studies

November 2022

AIIMS Delhi Ransomware Attack

critical

Chinese state-sponsored group UNC4540 conducted ransomware attack on AIIMS Delhi servers. Attack disrupted hospital operations for 14 days affecting patient care, lab systems, and administrative functions.

Actor
UNC4540 (Chinese)
Impact
40M patient records, 14 days downtime, ₹200 crore ransom demand
2024

Star Health Data Breach

critical

Star Health insurance suffered data breach exposing 31 million customer records including medical histories, insurance claims, and personal identification data. Data sold by insiders.

Actor
Insider Threat
Impact
31M records including medical histories and claims data
October 2020

Dr. Reddy's Ransomware

high

Dr. Reddy's Laboratories suffered ransomware attack forcing shutdown of data centers across multiple locations during COVID-19 vaccine development phase.

Actor
Unknown (Criminal)
Impact
Data centers shutdown, vaccine development delayed
2023-2024

PM-JAY Data Security

high

Pradhan Mantri Jan Arogya Yojana health insurance scheme covering 500+ million individuals has IT infrastructure with multiple intermediaries creating distributed data exposure.

Actor
Multiple Attack Vectors
Impact
500M+ beneficiary health records with inconsistent security

Key Findings

Hospital OT Network Convergence

Hospital OT networks controlling HVAC, building automation, medical gas systems, and elevators connect to IT networks without adequate segmentation. AIIMS attack demonstrated pathway to safety-critical systems.

Aadhaar Biometric Irreversibility

ABHA (Ayushman Bharat Health Account) links biometric credentials to health records. Compromised biometrics cannot be revoked - creates permanent identity theft risk.

Healthcare Insider Market

Hospital employees sell patient records at ₹500-500,000 per record depending on completeness. Star Health breach demonstrated insider involvement in data sales.

Pharmaceutical IP Targeting

Indian pharma companies targeted by APT41 and other state actors for R&D data, clinical trial results, and generic drug formulations. Premium value in state-sponsored markets.

Medical Device IoMT Security

Internet of Medical Things (IoMT) devices including infusion pumps, pacemakers, and diagnostic equipment have documented vulnerabilities and limited patching capability.

Critical Alert
AIIMS ransomware demonstrated hospital OT network access - patient safety systems at risk
1.37+ Billion Records Compromised
Documented healthcare data breaches: AIIMS (40M), CoWIN (1.3B), Star Health (31M), Dr. Reddy's, PM-JAY (500M at risk)