CloudSEK in its report also warned that the leaked data could enable account takeovers.
Cyber threat analysis company CloudSEK on Monday reported that personally identifiable information (PII) and medical diagnoses of over 320,000 patients, along with sensitive data about doctors, were found to have been leaked on the dark web from the ministry of AYUSH website for Jharkhand.
The breach was initiated by a threat actor who goes by the name ‘Tanaka’, and the compromised data included sensitive information about doctors, such as their PII, login credentials, usernames, passwords, and phone numbers. Information about 500 login credentials, some in cleartext (unencrypted form), was exposed on the dark web.
The website for Jharkhand is designed and developed by Bitsphere Infosystem, an information technology services firm based in Ranchi. The threat actor shared a post titled ‘bitsphere.in’ on an English-speaking hacking forum, CloudSEK said in a report.
Email queries sent to officials of the AYUSH ministry, the office of the director at AYUSH Jharkhand, and Bitsphere Infosystem remained unanswered at the time of going to press.
The ministry of AYUSH website for Jharkhand serves as a critical resource providing information about ayurveda, yoga, naturopathy, unani, siddha, and homeopathy treatments. It connects patients to doctors working in these medical disciplines and is also used for education and research in these fields.
Although the database is relatively small, at around 7.3 megabytes in size, it contains over 320,000 patient records, including their PII information and medical diagnoses. It also contains contact information for 737 people who used the ‘contact us’ form on the website, as well as 472 records containing PII information of doctors. The database also contains PII information for 91 doctors, along with information about where they are posted.
The link between the compromised data and AYUSH Jharkhand’s website was established by cross-referencing chatbot and blogpost data shared by the threat actor with publicly accessible data on the website.
CloudSEK’s contextual artificial intelligence digital risk platform, XVigil, was used to identify the source of the leaked data.
“CloudSEK researchers found a deeply concerning data breach that has far-reaching implications for patient and doctor confidentiality. The breach raises serious concerns about the digital security of health care data,” the analytic platform said.
In its report, CloudSEK also warned that the leaked data could enable account takeovers, as commonly used or weak passwords could lead to ‘brute force’ attacks. It would equip malicious actors with the details required to launch sophisticated phishing attacks.
‘Brute force’ refers to attacks that use trial and error to guess login credentials or encryption keys.
Breach of health care databases may have severe implications as it includes sensitive data such as reproductive, sexual, and mental health data. This new report comes months after a Telegram bot was allegedly found leaking personal data collected by the government’s CoWin portal.
Last year, the servers of the All India Institute of Medical Sciences in New Delhi were infiltrated in a cyberattack, paralysing its operations.
Dark side of the web
- Around 500 login credentials, some unencrypted, allegedly exposed
- Breach also includes 472 records containing personal information of doctors
- Contact information of 737 people who used ‘Contact Us’ form may have leaked
- The leaked info may increase account takeovers and phishing attacks, among other threats
