Menu
Browse

Breach Candy Hospital

Aliases: 2 aliases
Primary URL Location Industry
breachcandyhospital[.]org
Country India
Healthcare Icon
Healthcare
Profile

Breach Candy Hospital, also referred to simply as Breach Candy, is a healthcare provider headquartered in India. The institution operates under these aliases and delivers medical services to patients, though publicly available sources do not specify its specialties, bed capacity, or patient volume. As a hospital, its core function involves the diagnosis, treatment, and care of individuals seeking medical attention. The organization’s presence is confined to the Indian healthcare landscape, with no further details about additional facilities or international outreach disclosed in the available information.

On February 1, 2020, the hospital experienced a cybersecurity incident that exposed approximately 121 million medical records. This figure encompasses a substantial volume of data, making the breach one of the larger reported incidents in the healthcare sector. The compromised records included both clinical imaging files and sensitive personal information belonging to individuals who had interacted with the hospital’s services. The sheer scale of the exposure underscores the significance of the event within the context of health‑data security.

Of the roughly 121 million records affected, about 120 million consisted of medical imaging files such as X-rays and scans, which were stored in an unsecured Digital Imaging and Communications in Medicine (DICOM) system. The remaining one million records contained sensitive personal identifiers, including Aadhaar numbers and detailed medical histories. These data types represent both clinical and personally identifiable information, increasing the potential impact on affected individuals. The storage of such a large quantity of imaging data in an inadequately protected system highlights a specific vulnerability within the hospital’s IT environment.

Investigations into the breach determined that the compromise originated from weakened access controls within the hospital’s infrastructure, allowing unauthorized entry to the DICOM system and associated databases. Despite the magnitude of the incident, no formal investigation was conducted by national cybersecurity authorities following the discovery. Furthermore, the hospital did not issue any subsequent public disclosures detailing the breach, its remediation steps, or any measures taken to prevent future occurrences. This lack of official follow‑up left the incident without documented regulatory oversight or public accountability.

The event is notable for the exceptional volume of data exposed, positioning it among the most significant healthcare data breaches reported to date. While the hospital continues to operate under its established names, the breach serves as a stark reminder of the risks associated with insufficient security controls for medical information systems. The available information confirms the occurrence, scope, and aftermath of the incident without speculating on unverified details about the organization’s broader operations or future initiatives.

Incidents
Linked incidents available to members
1 incident