What happened
Authorities in Gujarat have uncovered a major cyber-crime incident at Payal Maternity Hospital in Rajkot, where hackers accessed and stole CCTV footage from the gynaecology ward. The breach was traced to the hospital’s CCTV systems being protected only by the factory-default password “admin123”. Investigations show that the footage — which reportedly included intimate video of pregnant women and medical examinations — was extracted over a period of around nine months and then sold online via porn-and-fetish networks.
Scale and modus operandi
- Cyber-criminals exploited weak default credentials (“admin”, “admin123”) to log into unsecured CCTV dashboards. One article estimates that over 80 dashboards across 20 states were compromised, not only in hospitals but also schools, homes and malls.
- The stolen clips were reportedly sold for Rs 700 to Rs 4,000 each, via messaging platforms like Telegram.
- According to reports, the Rajkot hospital incident began because the CCTV server had not been secured or updated, giving hackers remote access.
Why this is alarming
This incident raises deeply serious concerns on multiple fronts:
- Privacy violation & sensitive data exposure: Footage from a maternity ward is intensely private and its theft and exploitation is a grave breach of trust and dignity.
- Cyber-security negligence: The fact that a hospital used default login credentials shows systemic weakness in safeguarding critical healthcare and surveillance infrastructure.
- Commercialisation of abuse: The harvested videos were monetised, turned into fetish content and sold internationally — expanding the impact far beyond a local data leak.
- Broader threat context: The hack is symptomatic of a wider cyber-crime threat targeting CCTV systems and IoT devices with lax security.
Response from authorities
Following the revelations:
- Law-enforcement in Gujarat has registered a cyber-crime case and is investigating digital trails of the video-traffic.
- The police have issued advisories for all institutions (hospitals, schools, commercial establishments) to change default passwords, update firmware, activate two-factor authentication and remove remote access if unnecessary.
- Hospital administrations and regulatory authorities are under pressure to audit their CCTV and other networked systems, ensure encryption and restrict access.
What needs to be done
- Hospitals and critical-infrastructure providers must audit all network devices, identify default builds, change credentials immediately, patch vulnerabilities and log access.
- Regulators should establish minimum cyber-security standards for CCTV and surveillance systems in public and private-sector institutions — especially healthcare facilities.
- There must be transparency and redress: victims of the breach must be notified, psychological support offered and mechanisms for accountability strengthened.
- Awareness campaigns are needed to alert smaller institutions (labs, clinics, schools) that remote-accessible CCTV devices are potential entry points for cyber-crime.
- A coordinated national effort between cyber-crime units, health regulators and IT law enforcement is necessary to detect, disrupt and prosecute such commercial exploitation of private video data.
Final word
What began as what appeared to be an administrative oversight — a hospital retaining default CCTV credentials — has evolved into one of the more disturbing cyber-crime revelations in India: private medical moments hijacked, sold and distributed across borders. The magnitude of the breach and its implications underscore that in our connected age, security of systems is inseparable from protection of personal dignity. Institutions entrusted with care must up their technical defences — before the next exploitation.
