Cyber Incident Victim: Breach Candy Hospital

The Breach Candy Hospital data breach occurred in February 2020, compromising over 121 million medical records. The majority of exposed records—120 million—consisted of medical images stored within the hospital's Digital Imaging and Communications in Medicine (DICOM) system, including X-rays and diagnostic scan reports. Approximately one million additional records contained sensitive personal information such as Aadhaar identification numbers and detailed medical histories. The breach originated from a compromise of the hospital's access control systems, though no specific technical details about the attack vector were publicly disclosed. The scale of this incident represented one of the largest known healthcare data breaches in India at the time, exposing highly sensitive patient data across multiple categories.

No formal investigation by the Indian Computer Emergency Response Team (CERT-IN) was conducted following the breach, and the incident received minimal media coverage despite its severity. The hospital and relevant authorities did not issue public statements or breach notifications to affected individuals, leading to a lack of awareness among patients regarding potential misuse of their data. The compromised Aadhaar information created particular risks for identity theft and financial fraud, given the national ID's linkage to essential services. The absence of containment measures or remediation steps being publicly documented suggested institutional inaction in addressing the security failure. This pattern of non-disclosure contrasted with subsequent 2020 breaches at other Indian healthcare entities, though Breach Candy's incident set a precedent for inadequate breach response protocols within the sector.