ORS Patient Portal —Digital India initiative put at risk the leakage of millions of patients’ health information

What is ORS Patient Portal?

Online appointment booking
Access Appointment Details

Just to bring some technicality — It was a simple vulnerability of IDOR — Insecure Direct Object References where just tampering/changing a parameter/ID linked to a specific user could provide access to the data/information of some other user.

Other Patient details getting accessed
Access to Other Patient details
and similarly, in no time, the count of records reached to around 18,000 patients details that was just belonging to a single hospital AIIMS DELHI of some days and these numbers went on increasing disclosing details of every appointment made at any hospital at any given day from the time the ORS service was launched. 
Taken from ors.gov.in

The vulnerability could have allowed every single patients records to be accessed. As the data given in the ORS site (above screenshot), it has total 237 hospitals registered as of dated 18th Nov’19 and total appointments made at the portal is 30,82791 approximatley 31 Lacs (3.1 Million). The time vulnerability was found and reported the number was around 20 Lacs (2 Million).
This vulnerability had potentially kept data of 20 lacs users at risk — thier PII(Personally identifiable information) and PHI (Protected health information) details.

First mail sent to CERT team
Acknowledgment from CERT-In
Acknowledgment of bug fix
CERT-In reply
As per information reported to and tracked by CERT-In, more than 300,000 cyber-security incidents were reported in 2019 - a steep increase from a 50,362 incidents in 2016.This is where security researchers or ethical hackers become increasingly important because they can help protect against possible attacks and access flaws in the digital infrastructure.


Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc