Cyber Incident Victim: All India Institute of Medical Sciences
Date:
Nov 2022
Location:
India
Summary
A ransomware attack severely disrupted digital services at a major Indian medical institution, forcing critical operations such as outpatient registrations, billing, lab reports, and appointment systems to operate manually. The incident halted diagnostic workflows—including sample barcode generation and access to imaging results—significantly delaying patient care and causing some individuals to leave due to prolonged manual processing delays. While previous minor server outages had occurred, this marked the first prolonged and widespread disruption attributed to ransomware. The National Informatics Centre (NIC), responsible for the affected infrastructure, engaged Indian Computer Emergency Response Team (CERT-In) for restoration support and initiated law enforcement investigations while pledging enhanced security measures to prevent recurrence.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 23, 2022, a ransomware attack disrupted servers operated by the National Informatics Centre (NIC) at All India Institute of Medical Sciences (AIIMS) Delhi, severely impacting digital hospital services. The attack forced critical operations including outpatient and inpatient registration systems, smart lab functions, billing, report generation, and appointment scheduling to halt. Medical staff could not generate barcodes for laboratory samples, access patient imaging results, or retrieve diagnostic reports. Hospital services transitioned entirely to manual processes, causing significant operational delays. Outpatient departments experienced near-total standstills, with blood tests and other diagnostic services suspended. Doctors described the disruption as unprecedented in duration and severity compared to prior minor server outages. Patients faced extended wait times due to slower manual registration, leading some to abandon treatment attempts. The NIC confirmed the ransomware incident and initiated reporting procedures to law enforcement agencies for investigation.
AIIMS and NIC immediately engaged Indian Computer Emergency Response Team (CERT-In) and internal technical teams to restore digital infrastructure while implementing manual contingency measures. Hospital administrators issued a public statement acknowledging the attack's impact on NIC-hosted systems and committed to preventive upgrades. Services remained partially disrupted through the night as restoration efforts continued. Medical staff reported persistent challenges in sample processing and report retrieval during the outage, exacerbating patient care delays. The incident highlighted systemic vulnerabilities in NIC's server infrastructure, with clinicians citing long-standing concerns about inadequate system resilience. No data theft or ransom demands were disclosed in available reports, with response efforts focused exclusively on service restoration and infrastructure hardening.