Full Report
In June 2025, the Indian CME platform Omnicuris suffered a data breach that exposed approximately 200k records of healthcare professionals. The data included names, email addresses, phone numbers, geographic locations and other data attributes relating to professional expertise and training progress. Omnicuris is aware of the incident.
Analysis Summary
# Incident Report: Omnicuris Healthcare Data Breach (June 2025)
## Executive Summary
In June 2025, the Indian Continuous Medical Education (CME) platform, Omnicuris, suffered a data breach resulting in the exposure of over 215,000 records belonging to healthcare professionals. The compromised data included sensitive personal and professional details. The incident was publicly disclosed after the data appeared in Have I Been Pwned (HIBP) in July 2025.
## Incident Details
- Discovery Date: July 13, 2025 (When added to HIBP)
- Incident Date: June 2025
- Affected Organization: Omnicuris
- Sector: Healthcare/Education Technology (CME Platform)
- Geography: India (Implied, based on context of Indian CME platform)
## Timeline of Events
### Initial Access
- Date/Time: June 2025 (Approximate)
- Vector: Not explicitly detailed in the source, assumed exploitation of a system vulnerability or weak credential management.
- Details: Attackers gained access to Omnicuris servers containing user data.
### Lateral Movement
- Details: Not detailed in the source.
### Data Exfiltration/Impact
- Details: Approximately 215,300 records were exfiltrated. This included names, email addresses, phone numbers, geographic locations, and data related to professional expertise and training progress.
### Detection & Response
- Details: Omnicuris was confirmed to be aware of the incident. Detection likely occurred when the data was indexed by HIBP on July 13, 2025. Specific response actions taken by Omnicuris (beyond awareness) are not detailed.
## Attack Methodology
- Initial Access: Unknown/Unspecified.
- Persistence: Unknown/Unspecified.
- Privilege Escalation: Unknown/Unspecified.
- Defense Evasion: Unknown/Unspecified.
- Credential Access: Unknown/Unspecified.
- Discovery: Unknown/Unspecified.
- Lateral Movement: Unknown/Unspecified.
- Collection: Gathering PII and professional data points.
- Exfiltration: Data removal from the platform's databases.
- Impact: Data breach of sensitive provider information.
*(Note: Specific technical attribution details (TTPs) beyond data collection were not provided in the source material.)*
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Approximately 215,300 records exposed, containing names, email addresses, phone numbers, and professional details (expertise/training progress) of healthcare professionals.
- Operational: Not disclosed, but potential regulatory impact due to handling healthcare professional data.
- Reputational: Negative impact evidenced by inclusion in HIBP.
## Indicators of Compromise
- Network indicators: None provided (defanged).
- File indicators: None provided.
- Behavioral indicators: None provided.
## Response Actions
- Containment measures: Not detailed.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed, though the public messaging focused on advising affected users to change passwords and enable 2FA on related accounts.
## Lessons Learned
- The platform operated with security measures that allowed a significant volume of personally identifiable and professional information to be compromised.
- Reliance on user action (password changes) suggests a failure in root cause analysis visibility or immediate systemic remediation efforts.
## Recommendations
- Conduct a thorough forensic investigation to determine the exact initial access vector and TTPs used by "Threat Actor 888."
- Immediately review and implement stronger access control policies and encryption for sensitive records.
- Mandate the use of strong, unique passwords and enforce Two-Factor Authentication (2FA) for all users and administrators immediately.
- Review data retention policies to minimize the storage of sensitive PII/professional data that is no longer strictly necessary.