Cyber terror in labour room: Curtains left open, weak passwords, eight hackers, and viral clips
Inside a case of laxity, perversion, and an astounding breach of privacy: What started as a hospital CCTV hack and patient privacy violation spiralled into one of Gujarat’s most unusual cyber terror prosecutions, in which eight men have been arrested for ‘stealing videos’ of women patients and selling them online. Here’s how the racket was busted.
The Rajkot labour room CCTV hack case uncovered a shocking privacy breach in which hackers allegedly accessed hospital surveillance systems, stole sensitive patient videos and sold them online, prompting Gujarat Police to invoke cyber terrorism provisions against eight accused. (Express Photo) February 17, 2025. Around 5 pm, a chilling video began circulating on social media. It showed a nurse administering an injection to a female patient at a private body part.
Police traced the video to a maternity hospital in Rajkot, about 220 km west of Ahmedabad. Over the next five months, they arrested eight men and booked them for cyber terrorism, a section usually applied in cases pertaining to national security and to protect critical national strategic assets from cyber attacks.
How did such a video of a patient in a hospital end up online? Police began their probe at the hospital.
Discovery of the crime
The hospital in question is housed in a four-storey commercial building. Couples sit in joined metal chairs in the waiting room, many with medical reports in their hands. A video playing on a screen shows “success stories” of couples leaving the hospital with new-born babies in their arms.
The hospital administrator recollected the shock of discovering the crime last year. “A patient had just gone into labour, and the staff was busy. In the middle of that, a reporter approached us and said footage of our hospital was being shown on the Internet. We were horrified… We didn’t know,” the administrator said.
“We immediately went to the police station. The Rajkot City police told us they were already aware and an FIR had been registered by the Cybercrime Branch in Ahmedabad City. We had no facts, other than knowing that CCTV footage from our labour room was being sold online,” he said.
But it wasn’t just one video, and not just one hospital. Investigators soon found that several clips from CCTV footage of women patients in the labour room were being sold on closed Telegram groups, with “trailer” clips advertised on YouTube for potential “buyers”. Prices ranged from Rs 800 to Rs 2,000, depending on the nature of the content.
Staff and patients at the hospital were questioned for days, and CCTV footage was scanned for clues. “The police were here for three-four days,” the hospital administrator said. “They interviewed staff, took our electronic gadgets and spoke to patients… We cooperated, we even went to Ahmedabad a couple of times as part of the investigation. Eventually, they concluded that the CCTV system had been hacked from outside the hospital.”
The arrests and uproar
On February 18, 2025, the Ahmedabad City Cybercrime Branch found videos on three YouTube channels. They wrote to Google seeking details of the operators of the channels, and following a prompt response from Google, identified people based in Maharashtra and Uttar Pradesh.
Teams were sent to both states, and three accused were apprehended. At a press conference on February 19, 2025, Ahmedabad City Police Joint Commissioner (JCP) Sharad Singhal, DCP (Cybercrime) Lavina Sinha, and DCP (Crime) Ajit Rajian announced that Prajwal Ashok Teli (23) had been arrested in Latur, Maharashtra, Praj Rajendra Patil (19) in Sangli, Maharashtra, and Chandraprakash Phoolchand (33) in Prayagraj, Uttar Pradesh.
Singhal said the men used virtual numbers to communicate with hackers in Romania and Atlanta in the US. The police alleged that CCTV feeds of several hospitals, malls, and commercial buildings had been hacked. The accused allegedly clipped videos of women patients while they were being examined, uploaded snippet-like teasers on YouTube, and offered them for sale. Singhal stressed that prima facie, no hospital staff appeared to be involved.
“The phones of the arrested accused revealed contacts of the other accused persons. We also found videos, groups, and financial transactions on their electronic devices,” an investigator said.
The police unearthed 22 channels that were being run under a Telegram group, ‘Megha Demos’, where videos were categorised by “kinks” such as voyeurism and exhibitionism. Police also found several other Telegram groups — ‘Demo CCTV’, ‘CCTV Injection Group’, ‘CCTV Demo Premium’, and ‘CCTV Group’. While previews were shared on the ‘Demo Group’, videos were sold on the ‘Premium Group’, police officers said. They estimated that the accused may have earned more than Rs 8 lakh from the sale of these videos before the racket was busted.
On February 23, police arrested three more accused: Vaibhav Bhandu Mane (24) of Sangli, Parit Ghanshyam Dhameliya (36) of Surat, and Ryan Robin Pereira (20) of Vasai, Maharashtra.
On February 24 last year, Gujarat Home Minister Harsh Sanghavi told the Assembly that two hackers had hacked more than 50,000 CCTVs in the last eight months, and that these videos were from all across India — including from premises such as corporate offices, schools, colleges, movie theaters and personal videos of homes, apart from hospitals.
On February 26, Delhi resident Rohit Sanjaykumar Sisodia (27) was arrested. Police filed the first chargesheet against the seven on May 17 before the 13th Additional Chief Judicial Magistrate at Gheekanta, Ahmedabad.
An eighth accused, Tushar Anil Santramsingh Bhatia (22) of Dehradun, Uttarakhand, was arrested on June 12 — the same day as the deadly Air India flight AI-171 crash.
“We recovered hacking tools and monetary transactions in Tushar’s digital devices. We also found CCTV footage from other places they had hacked, as well as Telegram groups and communication links to the other accused.”
Police also recovered alleged bank statements and financial paper trails. A supplementary charge sheet was filed on September 12.
Legal provisions
Prajwal, Praj Patil and Chandraprakash were initially booked under Sections 66E (violation of privacy) and 67 (publication of obscene material) of the IT Act. However, these sections carry a maximum sentence of three-five years and fine, and there was fear that the accused could get bail easily since the quantum of sentence was less than seven years.
The alleged crime, on the other hand, would have lasting repercussions on the victims and their families, officers in the Cybercrime Branch of the Ahmedabad City Police felt.
At a meeting in the Cybercrime Branch headquarters in Shahibaug, police officers debated how the legal knot around the accused could be tightened. One of the officers flagged Section 66F of the IT Act, sources said. On February 21, 2025, the Investigation Officer (IO) sought the permission of the court to add Sections 61 (criminal conspiracy) and 77 (voyeurism) of the Bharatiya Nyaya Sanhita 2023 (BNS) and Sections 43(b) (digital extraction of data), 66 (hacking and data theft), and 66F(2) of the IT Act to the FIR. The last section deals with cyber terrorism and carries a maximum punishment of life imprisonment.
Clause (A) of Section 66F(2) applies when a person illegally accesses or attempts to access a computer system with the intention of threatening the country’s unity, security or sovereignty, or to strike terror among the public.
Clause (B) covers situations where someone knowingly gains unauthorised access to a computer resource and obtains access to restricted or sensitive digital data, and investigators believe that the information could be used in a way that harms national security, foreign relations, public order, decency or morality.
“We were able to invoke Section 66F(2) because prerequisite (B) contains the words, ‘or any restricted information, data or computer data base, with reasons to believe that such information, data or computer data base so obtained may be used to cause or likely to cause injury to the interests of… public order, decency or morality’…,” a senior officer who has associated with the case from the beginning, said.
Modus operandi of crime
The chargesheet details how the accused coordinated through Telegram, exchanged hacking tools, shared CCTV access credentials, and routed payments via UPI and gift vouchers.
Tushar and Parit were allegedly in touch through the Telegram group. “They…exchanged information on CCTV hacking…and hacking tools, for which they made financial transactions…and got payments to their bank accounts through UPI. They further exchanged QR codes for CCTV access from each other, based on which they hacked the hospital’s CCTV,” says the chargesheet.
“IP logs of Tushar…have been found in the Digital Video Recorder (DVR) of the hospital. Four CCTV hacking applications have been found [on his mobile phone]… Eight other hacking tools have been found on his laptop,” it says.
Parit allegedly hacked CCTV cameras of the hospital using hacking tools. “IP logs of accused Parit…have been found in the DVR of the hospital,” says the chargesheet.
According to the chargesheet, footage of the medical examination of a female patient was hacked, and that the accused forwarded the IP address list and photographs to co-accused Rohit Sisodia.
“Based on this IP address…Rohit…entered this IP and password in an application…through which he got access to the CCTV camera of the hospital in Rajkot and hacked [it],” says the chargesheet, adding that an Internet Protocol Details Record (IPDR) was also found in the DVR.
Rohit is alleged to have then “downloaded live videos of the medical examination of a female patient…and shared 150 more videos from the CCTV footage…on his Telegram group. To get live access to watch and download videos of the labour room of the hospital, people were asked to pay Rs 700”.
Prajwal allegedly joined the Telegram group after paying Sisodia Rs 700. According to police, he then “downloaded the videos of the hospital and put them up on his own YouTube channel. He further shared the videos with Praj Patil, who, in turn, uploaded them on his YouTube channel.”
Praj Patil too allegedly shared the YouTube links to these videos on his Telegram channel, and set up a payment QR code with a menu of different types of videos for customers.
Vaibhav, police said, is accused of allegedly joining Prajwal to market the videos and share the proceeds from their sale. Parit is also accused of allegedly teaching co-accused Ryan how to hack CCTV cameras, giving him access to the hospital’s footage. Police found Ryan’s IPDR in the DVR of the hospital.
Pereira is accused of deleting evidence from his electronic devices, selling hacking tools to another person named as a witness in the case, and taking payment by means of Amazon gift vouchers, police said.
Another accused, Chandraprakash Phoolchand, also obtained videos from the hospital and uploaded them, along with voyeuristic videos of women at the Mahakumbh, on his YouTube channel.
Oversight, way forward
Police have not included hospitals as accused, but officers acknowledged there were “oversights” on their part.
They had not changed the default password of the CCTV cameras from “admin@123” after they were installed. And they sometimes failed to draw the privacy curtains in the labour room to shield the patient from the camera.
ACP Hardik Makadia of Ahmedabad City Cybercrime Branch told The Indian Express, “…They had no criminal intent. Staff forgot to draw the curtains sometimes…but we did not find their involvement…”
The hospital administrator conceded there was “mismanagement” on the part of staff who had failed to draw the curtains to ensure patient privacy. But he said that CCTV cameras were necessary in labour rooms and operation theatres to protect doctors against possible “allegations”. “Every patient is different, and there are unexpected risks,” he said. The hospital took patients’ consent, he said, and “The government has not issued any guidelines.”
ACP Makadia stressed on the need for robust cybersecurity. “People are still not doing enough to invest in it,” he said. “The hospital had not changed the default password. The situation is so bad, but many institutions still refuse to pay enough attention to this matter, making themselves vulnerable to hacks.”
Dr Nitin Vora, president of the Gujarat Medical Council (GMC), told The Indian Express, “There are many doctors who display surgeries in the interest of patients and satisfaction of the families. Here, there is no violation because it is done with consent and access is limited to persons involved in the process. As far as certain delicate processes are concerned, the hospital must make sure that unauthorised persons are not able to access such data.”
Dr Vora also stressed on having safer systems. “…We have seen that hackers can breach several layers of security, in which case, the hospital may not be held accountable — but that does not mean we don’t pay attention to cybersecurity, it is the need of the hour,” he said.
The incident has led to an internal study at the Gujarat State Branch of the Indian Medical Association (IMA-GSB) to frame guidelines to ensure the safety and privacy of both patients and medical practitioners.
“In a medical setting, CCTV cameras are placed either for HR purposes – for administrators or unit heads to monitor work – or for safety purposes, to which the privacy of patients is linked, IMA-GSB president Dr Mehul Shah said. “Our team is working on a set of draft guidelines after this incident and we hope to release it in Gujarat soon,” he said.
Dr Bharat Gadhvi, convenor of the Gujarat Association of Hospitals, Nursing Homes and Allied Healthcare Services (GAHNA), said the privacy of patients cannot be compromised.
“While this is enshrined in ethics, it is now also in the Digital Personal Data Protection Act (DPDP) Act, which means it’s the hospital’s responsibility to protect patient data. At the same time, the culprits should be punished severely to deter others,” he said.
Share
