AIIMS ORBO Website Exposes Sensitive Donor Information Due to Security Flaw
A major security issue in the AIIMS Organ Retrieval Banking Organisation (ORBO) website exposed highly sensitive personal and medical details of organ and tissue donors from across India. This flaw allowed anyone to access private data without logging in or needing permission.
Aniket Tomar, an independent cybersecurity expert, discovered the problem in May 2025. He found that the system allowed full access to the names, phone numbers, email addresses, home addresses, blood groups, donated organs and tissues, donor ages, and even witness details of thousands of registered ORBO donors.
Why This Matters
ORBO is a department at AIIMS, New Delhi, responsible for handling cadaver organ and tissue donations. It manages the registry of people declared brain dead and coordinates transplants. Because of this, the leaked data involved highly private and sensitive health information.
Tomar confirmed that he accessed records not just from Delhi, but also from donors across the country. He warned that such a data breach could seriously damage public trust and compromise India’s national health data system.
Details of the Leak
Tomar revealed that the AIIMS portal did not have any protection in place to block access to the data. Anyone could view the information openly, without needing a password or authentication.
- Names, phone numbers, emails, and addresses
- Medical details like blood group and donated organs
- Details of witnesses who helped with the donation process
Government Response
Tomar immediately informed CERT-In (India’s cybersecurity agency), sharing screenshots and technical proof of the issue. He also pointed out that the leak violated the Digital Personal Data Protection Act, 2023, which mandates strict protection of personal data.
In response, CERT acknowledged the issue and worked with AIIMS to fix it. By June 18, 2025, the security hole was patched, and public access to donor information was blocked. CERT also thanked Tomar for responsibly reporting the issue.
Call for Action
Tomar urged AIIMS and other public health organizations to audit their websites and platforms for similar weaknesses. He also advised them to inform affected donors about the breach, as required by law.
“Sensitive personal and medical data should never be made public,” Tomar said. “Healthcare institutions must protect the privacy of those who trust them.”
Also read: Sri Lanka Sets April 2026 for Digital ID Launch, Pledges Data Protection
