Cyber Incident Victim: National Institute of Mental Health and Neurosciences

The National Institute of Mental Health and Neurosciences (Nimhans) in Bengaluru experienced a ransomware attack on March 23, 2022, which disrupted access to critical computer systems and patient data. According to police reports, the attack encrypted multiple files, rendering them inaccessible to staff. Attackers sent a weblink to Nimhans stating that all data had been encrypted and demanded a ransom of $5,000 in Bitcoin to decrypt the files. The institute, a premier mental health facility in India, faced operational challenges due to the encryption of laboratory reports and sensitive patient records, including names and medical histories. The full scope of compromised systems and the extent of data loss remained unclear, as internal assessments were ongoing.

Nimhans filed a formal police complaint on April 30, 2022—over a month after the attack—through its director, Dr. Pratima Murthy. The delayed reporting highlighted institutional gaps in incident response protocols. Following the attack, the Nimhans Employees’ Association publicly criticized the organization’s IT infrastructure, citing inadequate cybersecurity measures and overreliance on outsourced expertise. Association members asserted that the internal IT department lacked functional capacity and had not conducted mandatory cyber safety audits, leaving systems vulnerable. The incident underscored operational disruptions to patient services and exposed systemic vulnerabilities in the institute’s digital defenses. No further details regarding data recovery or law enforcement investigations were disclosed in available reports.