Cyber Incident Victim: Safdarjung Hospital
Date:
Dec 2022
Location:
India
Summary
A cyberattack targeted Safdarjung Hospital, causing temporary server downtime, though officials confirmed it was not ransomware and patient data remained secure. IT teams and the National Informatics Centre swiftly restored systems after blocking malicious IP addresses. Concurrently, another major hospital faced prolonged server disruptions lasting over a week, forcing staff to operate critical services—including outpatient, inpatient, and laboratory functions—manually. Approximately 3,000 computers were scanned and secured with antivirus software, while internet access remained restricted during recovery. Multiple agencies, including the National Investigation Agency, CERT-In, and Delhi Police, investigated the incidents, leading to suspensions of personnel for data breaches. Restoration efforts succeeded in recovering e-Hospital data and laboratory information systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late November 2022, Safdarjung Hospital experienced a cyberattack that disrupted its server operations for one day. Medical Superintendent Dr. BL Sherwal confirmed the incident but clarified it did not involve ransomware, emphasizing that patient data remained secured throughout the outage. The hospital's IT team and the National Informatics Centre (NIC) managed to revive the systems promptly. An unidentified hospital official revealed that a specific IP address was blocked during the incident, though further details were unavailable as the IT department did not respond to inquiries. Senior resident doctors noted that manual workarounds became necessary during the disruption, reflecting existing contingency protocols. This event occurred amid broader cybersecurity challenges affecting India's healthcare infrastructure, as evidenced by a prolonged outage at the adjacent All India Institute of Medical Sciences (AIIMS) Delhi facility.
AIIMS Delhi's servers remained non-functional for eleven consecutive days as of December 3, 2022, with administrators projecting a mid-week restoration of manual services. Approximately 3,000 computers underwent antivirus scanning and software updates as a precautionary measure, though internet services remained suspended without official communication to staff. The incident prompted disciplinary actions, including the suspension of two analysts for data security breaches, with more personnel under scrutiny. Multiple agencies investigated the breach, including Delhi Police's Special Cell, the National Investigation Agency (NIA), CERT-In, Intelligence Bureau, CBI, and Ministry of Home Affairs representatives. While AIIMS restored its e-Hospital data and Laboratory Information System (LIS) databases by early December, network sanitization continued due to the infrastructure's scale, forcing all clinical services—outpatient, inpatient, and laboratory operations—to persist in manual mode. Security enhancements were implemented during the restoration process, though full system normalization timelines remained unspecified in available reports.