A critical vulnerability in the AIIMS portal exposed highly sensitive data of voluntary organ and tissue donors registered with the Organ Retrieval Banking Organisation (ORBO). The AIIMS portal vulnerability allowed unauthorized access to personally identifiable and medical information of donors across India. This vulnerability was discovered in mid-May 2025 by independent cybersecurity researcher Aniket Tomar. ORBO is a key facility of the All India Institute of Medical Sciences (AIIMS), New Delhi.
The AIIMS portal vulnerability, if left unpatched, had the potential to severely undermine data privacy, public trust, and the security of the national digital health infrastructure.
ORBO, as the nodal body for cadaver organ and tissue donation activities at AIIMS, maintains a brain death donor registry and coordinates transplants, making the exposed data particularly sensitive.
Decoding the AIIMS Portal Vulnerability and Data Exposure
According to Tomar, his investigation revealed that the vulnerability in the AIIMS portal provided unrestricted access to a vast amount of private data, including full names, residential addresses, phone numbers, email addresses, blood groups, donated organs, tissues, donor age, and even witness information. This data could be accessed without any form of authentication.
“I was able to view several lakh donor entries. The data wasn’t just from Delhi—entries covered donors from multiple regions across India,” Tomar told The Hindu. “The scope of the exposure points to a nationwide data breach affecting individuals who placed their trust in a reputed health institution.”
Among the most critical data fields exposed were:
- Personally Identifiable Information (PII): Full names, mobile numbers, email addresses, residential addresses.
- Medical Information: Donated organs, blood types, tissues, and donor age.
- Witness Details: Contact and identification information of witnesses to the donation process.
CERT’s Intervention and Fix
Tomar promptly reported the issue to the Computer Emergency Response Team (CERT-IN) with a detailed Proof of Concept (PoC) and recommendations for fixing the flaw. In his email, he stressed that the breach not only compromised personal information but also violated the Digital Personal Data Protection (DPDP) Act, 2023.
“This is more than just a technical issue—it’s an ethical lapse. It impacts organ donors who expect the highest levels of confidentiality and data stewardship. Public trust in digital health platforms must not be taken for granted,” Tomar warned in his communication with CERT.
Following Tomar’s disclosure, CERT acknowledged the issue and worked with AIIMS to resolve the flaw. By June 18, 2025, the vulnerability was successfully mitigated, and public access to sensitive data was blocked. CERT officially thanked Tomar for his responsible disclosure.
Conclusion
Tomar urged AIIMS and other government bodies to audit their digital health platforms for similar vulnerabilities and to promptly notify affected individuals, as required by the DPDP Act. He stressed that personally identifiable information should never be exposed on public-facing systems, particularly in healthcare.
