Hacker Leaks over 3.2 Lakh Patients' Data Linked to Ayush Jharkhand Govt Website to Dark Web

In a major cybersecurity breach, over 320,000 patient records from Ayush Jharkhand’s official website, ayush.jharkhand.gov.in, have been compromised and leaked on dark web hacking forums. The breach, attributed to a hacker known as “Tanaka,” has exposed highly sensitive personal information, including medical diagnoses, doctor credentials, and website login details.

As per the team of researchers from CloudSEK, the breach was discovered when Tanaka shared a post titled “bitsphere.in” on an English-speaking hacking forum. Ayush.jharkhand.gov.in is the official website of the Ministry of AYUSH for Jharkhand, which provides information on Ayurveda, Yoga and Naturopathy, Unani, Siddha, and Homoeopathy treatments.

The compromised database, totalling 7.3 MB in size, contains more than 320,000 patient records, each including personally identifiable information (PII) and medical diagnoses. Additionally, the database includes login information for the website, including usernames, passwords, and phone numbers. Furthermore, the exposed data also comprises PII details of 472 doctors, along with information about their postings.

An investigation by the researchers confirmed that the data had been extracted from the servers of ayush.jharkhand.gov.in, which are maintained by bitsphere.in. This attribution was made by correlating data shared by the threat actor with publicly available information on the website, including chatbot data and blog posts. Researchers believe that the hacker first attacked the bitsphere.in and then the government website data was accessed.

CloudSEK’s contextual AI digital risk platform XVigil discovered the threat actor Tanaka sharing the database on August 14, after which the team informed the government. A thorough analysis of the compromised database revealed the extent of the breach:

• Over 320,000 patient records, including PII and medical diagnoses.
• Approximately 500 login credentials with multiple plaintext passwords.
• Contact information for 737 individuals who used the website’s contact form.
• PII information for 472 doctors.
• Details on 91 doctors, including their postings.

However, one of the researchers told News18 that they informed the authorities regarding this breach but haven’t received any response. They believe though that the government was given time since the finding to take appropriate measures to secure the website.