AIIMS cyber attack: At least five servers infected, have data of 3-4 crore patients

Sources said the five servers hosted data of approximately 3-4 crore patients, but added that reports of patient data being stolen had “no factual basis”.

Meanwhile, two systems analysts are learnt to have been suspended on Monday for not responding to phone calls and not attending an emergency meeting on November 23, when the cyber attack took place.

The duo were issued showcause notices on November 24, and told to file their written replies the same evening. The showcause notice issued to one of the analysts, who is learnt to have been on leave at the time, mentioned that the official was contacted on phone, but did not respond. The notice, seen by The Indian Express, said a text message was also sent to him, but he did not turn up for the emergency meeting on the night of November 23.

Sources said the second showcause notice was similar in content.

While hospital services have been operating in manual mode since the cyber attack, a team of experts from the Indian Computer Emergency Response Team (CERT-in) and National Informatics Centre (NIC) are working on restoring digital services.

Significantly, sources said that besides the servers, the AIIMS network and its computers are “also vulnerable”. Therefore, following the advice of CERT-in, AIIMS internet and AIIMS intranet have been discontinued and “their vulnerabilities are being addressed”, said sources.

“AIIMS has about 10,000 computers and not all of them have updated anti-virus applications. This is also being addressed,” sources said.

The restoration of servers is taking longer than expected as it is a highly technical job that involves three broad steps, said sources. First, the five infected servers have to be verified. Second, they will then have to be restored. Third, the data backed up on the five infected servers, which has been transferred elsewhere, has to be restored “on the rectified servers”.

“The eHospital data has been restored on the servers. Network is being sanitised before the services can be restored. The process is taking some time due to the volume of data and large number of servers/ computers for the hospital services. Measures are being taken for cyber security,” AIIMS said in a statement on Tuesday, adding that “all hospital services, including out-patient, in-patient, laboratories etc continue to run on manual mode”.

The National Investigation Agency (NIA) sent a team to AIIMS on November 25. Besides CERT-in and NIC teams, a team from the Defence Research and Development Organisation (DRDO) is also looking into the matter, said sources. The Delhi Police, Intelligence Bureau, Central Bureau of Investigation and the Ministry of Home Affairs (MHA) are also probing the incident.