Massive Data Leak Found in AIIMS Organ Donor Website, Now Fixed
An independent researcher recently discovered a serious security issue on the website of the Organ Retrieval Banking Organisation (ORBO), which is part of the All India Institute of Medical Sciences (AIIMS), New Delhi.This vulnerability exposed the personal details of people who had voluntarily registered as organ donors from across India. The leaked information included names, health records, contact numbers, home addresses, blood groups, and even emergency contact details.
Aniket Tomar, a cybersecurity researcher, discovered the vulnerability in mid-May 2025. He reported the issue to the Indian Computer Emergency Response Team (CERT-In), which is responsible for handling cybersecurity threats in the country. After receiving his alert, CERT and AIIMS took action, and the exposed data is no longer available to the public.
What ORBO Does
ORBO plays a key role in organ and tissue donation in India. ORBO manages the registry of people who are declared brain dead and coordinates donations and transplants. It also works with hospitals to spread awareness and streamline the donation process.
Unfortunately, this platform had a flaw. It allowed anyone to access sensitive personal and medical information without logging in or providing any authentication.
This made it possible for unauthorized individuals to view data that should have remained private.
Expert Raises Alarm Over Data Safety
In his alert, Aniket Tomar warned that the data leak was serious and could allow cybercriminals to exploit it. They could use the exposed information for identity theft, phishing scams, and other harmful activities. He stressed that such a leak from a top medical institution like AIIMS damages public trust in India’s digital health systems.
Tomar further pointed out that the breach violated the rules set by the Digital Personal Data Protection (DPDP) Act, 2023. The Act requires institutions to protect sensitive personal data. He also urged the government to review and audit similar websites of other hospitals and health portals to ensure they are secure.
CERT Responds, ORBO Fixes Issue
CERT officially thanked Tomar on June 18, 2025, for his efforts. Tomar confirmed that the developers fixed the vulnerability and removed public access to the data. However, he recommended that AIIMS should notify all affected donors and take further steps to prevent such incidents in the future.
“I was able to see lakhs of donor records, and they were not just from Delhi—they came from across the country,” Tomar told The Hindu. “This is a serious privacy issue. People who donated their organs trusted the system to keep their information safe. That trust has now been shaken.”
He also called this more than just a technical problem—it’s an ethical issue that puts India’s entire healthcare system under the spotlight. People may hesitate to join life-saving programs like organ donation if they lose trust in how institutions handle their data.
Also read: https://news.concur.live/parliament-panel-questions-meity-on-delays-in-implementing-dpdp-act/
