article featured image


On September 19th, 2022, a breach affecting Bahmni company was discovered. The Bahmni Hospital Management System was breached exposing the PII (Personal Identifiable Information) and EMR (Electronic Medical Record) of 197,497 users.

Bahmni offers a comprehensive healthcare solution by combining several open-source products used by more than 500 websites in over 50 countries. The company declares that it manages the medical record of over two million people.

Details About the Breach

VPNOverview’s security team discovered an unsecured AWS S3 bucket belonging to Bahmni.

The Amazon S3 bucket contained database backup regarding the popular open-source Bahmni EMR and hospital management system. The researchers could use it to restore the backup and browse through the data.

Upon examining the bucket, we found it contained an OpenMRS database backup VPN Overview’s security team was able to restore the backup and browse through the data.


On 21 September 2022, Bahmni closed the breach and secured the medical records.

What Data Was Exposed?

The data leak exposed the medical information of 197,497 people from the Chhattisgarh state of central India. Affected individuals were patients at a hospital system in Ganiyari village, 500 miles west of Kolkata.

PII Breach Discovered on Bahmni Hospital Management System


Exposed data contained:

  • Medial appointment dates
  • Hospital admissions
  • Age, gender, and names of patients
  • Location of the patients, minus the street addresses which were anonymized

Besides PII and EMR, the leak contains hashed passwords of healthcare professionals and staff. Although the passwords are encrypted right now with the SHA-512 algorithm, the hashes may become insecure over time.

Bahmni leaked each password with its corresponding salt. When kept private, password salts can mitigate the severity of a password breach. But since the salts leaked along with the passwords, they provide no extra security.


The Risks of This Breach

EMR are a great way for hospitals to share patients’ health information and can help to a more accurate diagnosis and treatment.

The security of EMRs is highly important as cybercriminals can use them to launch targeted social engineering attacks.

I’m glad Bahmni acted to secure this information. Hackers could use this data in a lot of different ways. It could help them target users for scams, or even access prescription drugs. But clearly it was dangerous to leave laying around in an open bucket.

VPNOverview security analyst Aaron Phillips

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content.