Skip to content
CBCyber Breaches
Search
RansomwareContained

AIIMS Delhi ransomware

Ransomware encrypted the All India Institute of Medical Sciences in New Delhi — India's most prestigious public hospital — taking patient registration and clinical records offline for two weeks during peak winter patient load.

Victim
All India Institute of Medical Sciences (AIIMS) New Delhi
Loss
$15.0M
users
40.0M
SectorHealthcare
CountryIndia
Threat actorUnknown ransomware crew (suspected Chinese-attributed per Indian government statements)

On 23 November 2022, the All India Institute of Medical Sciences (AIIMS) New Delhi — India's most prestigious public hospital and the apex of the Indian central-government healthcare system — discovered that ransomware had encrypted its core clinical and administrative IT systems. Patient registration, lab results, radiology, and the electronic outpatient department (eOPD) all went offline simultaneously, and AIIMS reverted to paper-based operations for the first time in over a decade.

The disruption lasted approximately two weeks during AIIMS's peak winter patient load.

What happened

AIIMS Delhi is a referral hospital of last resort for much of the Indian subcontinent. Its patient base draws from across India and neighbouring countries; on a typical day, AIIMS handles 15,000+ outpatient visits and several thousand admitted patients, with referral procedures from smaller hospitals routed to AIIMS specialists.

On the morning of 23 November 2022, AIIMS IT staff discovered ransomware encryption on the eHospital suite — the integrated platform running patient registration, admissions, clinical documentation, lab results, and radiology. Within hours:

  • Patient registration halted; new admissions were paper-based.
  • Doctors and nurses ran morning rounds without electronic access to patient histories.
  • Lab and radiology results could not be electronically routed; physical paper was hand-carried between departments.
  • Pharmacy continued to fill prescriptions using physical scripts.

The hospital remained open and operational, but at a degraded service level. No patient deaths were attributed publicly to the IT disruption — though AIIMS's normal operational pace slowed significantly.

Refusal to pay

Indian government statements over the following days indicated:

  • The attackers had demanded approximately ₹200 crore (~$24 million USD) in cryptocurrency.
  • AIIMS, as a central-government institution, refused to pay per standing Government of India guidance on ransomware response.
  • CERT-In, the Central Bureau of Investigation, and the National Investigation Agency all engaged in the response.

Attribution ambiguity

The Indian government's public attribution was deliberately ambiguous. Minister of State for Health Bharati Pravin Pawar told Parliament on 6 December 2022 that "preliminary analysis" suggested the operation was conducted by "cyber criminals from a foreign country". Indian press widely interpreted this as a reference to Chinese state-aligned actors, drawing on broader India-China cyber-tensions in the post-Galwan period.

The specific ransomware family used has not been publicly confirmed. The Indian government has not formally attributed to a named criminal operation or state actor; the case remains in the deliberately-vague-attribution category typical of Indian government incident disclosures.

Recovery

AIIMS's recovery was gradual:

  • Day 1: paper-based operations begin.
  • Day 7: outpatient registration restored on parallel infrastructure.
  • Day 14: most clinical systems restored.
  • Day 30+: some administrative and research systems remain offline.

The AIIMS response set off a major central government hospital cybersecurity programme that has subsequently funded infrastructure upgrades across all AIIMS facilities (multiple campuses across India) and the broader central government health-services network.

Impact

  • 40+ million patient records in AIIMS's databases at risk (records of all current and former AIIMS patients; the extent of actual exfiltration before encryption has not been publicly confirmed).
  • Two weeks of degraded clinical operations at India's premier public hospital.
  • Multiple follow-on attempts against other Indian central-government hospitals in the months following AIIMS, including Safdarjung Hospital (similar incident, December 2022) and several state hospitals.
  • Direct AIIMS remediation cost: ~$10–15M.

Why it matters

AIIMS Delhi is the canonical Indian healthcare-ransomware case and the most-cited motivating event for India's expansion of healthcare cybersecurity policy. It established:

  • That Indian central-government healthcare systems are operationally targetable by ransomware, with significant blast radius. AIIMS's centrality in the Indian healthcare referral system meant the disruption rippled through smaller hospitals dependent on AIIMS for specialist referrals.
  • That paper-based clinical operations are still viable at scale in Indian government healthcare — partly because India's healthcare system has not fully digitised, partly because senior clinical staff remember paper-based procedures from earlier eras.
  • That deliberately-vague state attribution is a continuing Indian government practice for major incidents. The "foreign country" framing without explicit naming preserves diplomatic flexibility while signalling the political dimension.
  • That healthcare sector cybersecurity funding in India has materially expanded in response. The post-AIIMS central-government healthcare cybersecurity programme is the largest single sectoral cyber-policy initiative in Indian central government to date.

Financial impact

Reported costs in USD

Total reported loss
15.0M
USD · $15,000,000
Ransom demanded
$24.0M
Ransom paid
Refused
  • Business loss$5.0M
  • Remediation$10.0M

Timeline

  1. AIIMS Delhi IT staff discover that the hospital's patient registration, admission, and clinical record systems are encrypted. eOPD (electronic outpatient department), laboratory, and radiology systems are offline.

  2. AIIMS reverts to manual paper-based patient registration. Doctors and nurses run morning rounds without access to electronic patient records.

  3. Indian Computer Emergency Response Team (CERT-In) and the Central Bureau of Investigation engage. National Investigation Agency joins the investigation given critical-infrastructure implications.

  4. Indian government officials publicly state the attackers demanded ~₹200 crore (~$24M USD) in cryptocurrency. AIIMS refuses to pay.

  5. Indian Minister of State for Health Bharati Pravin Pawar tells Parliament that 'preliminary analysis' suggests the operation was conducted by 'cyber criminals from a foreign country', widely interpreted in Indian press as a reference to Chinese state-aligned actors.

  6. Most clinical systems restored. Some research and administrative systems remain offline into 2023.

  7. Indian Ministry of Health establishes a new cybersecurity reference architecture for central government hospitals, citing AIIMS as the motivating case.

Sources

  1. aiims.eduhttps://www.aiims.edu/index.php/en/aiims-news
  2. thehindu.comhttps://www.thehindu.com/news/national/aiims-server-down-due-to-ransomware-attack/article66185611.ece
  3. business-standard.comhttps://www.business-standard.com/article/current-affairs/aiims-cyber-attack-chinese-attempted-to-paralyse-services-claims-govt-122120800803_1.html

Related incidents

RansomwareContained

Hillel Yaffe Medical Center DeepBlueMagic ransomware (Israel, 2021)

DeepBlueMagic ransomware — attributed by Israeli officials to a Chinese criminal group — hit Hillel Yaffe Medical Center in Hadera, becoming the first known successful ransomware attack on an Israeli healthcare entity. Recovery extended for months. Israeli authorities subsequently reported a wave of follow-on attempts against nine more hospitals.

Victim
Hillel Yaffe Medical Center