Personal information of more than 243 million Brazilians was exposed for more than six months thanks to weakly encoded credentials stored in the source code of the Brazilian Ministry of Health’s website. The data leak exposed both living and deceased Brazilians’ medical records to possible unauthorized access. The incident was the second reported by Brazilian publication Estadão and among several others recently affecting South America’s largest nation’s healthcare system.
Sistema Único de Saúde data leak exposed patients’ medical records
For more than six months, personal data belonging to anyone registered with Sistema Único de Saúde (SUS), Brazil’s national health system, could be viewed.
The data leak exposed people’s full names, addresses, phone numbers, and full medical records of Brazilians that signed up for the government’s public-funded healthcare system.
Approximately 32 million medical records belonged to deceased Brazilians, given that the country’s population was 211 million in 2019.
The database login credentials were encoded using Base64 encoding, which could be easily decoded. Anybody could have viewed the website’s source code and the database credentials using the F12 keyboard shortcut or the “View Source Code” option from the browser’s menu.
Subsequently, the exposed database logins could have allowed anybody access to Brazilians’ medical records.
Just last month, Estadão also reported another data leak exposing more than 16 million Brazilian COVID-19 patients’ medical records. The breach occurred after an employee uploaded on GitHub a spreadsheet containing usernames, passwords, and the E-SUS-VE system access keys.
The data leak affected high-profile individuals, including Brazilian President Jair Bolsonaro and his family, state governors, and seven cabinet members diagnosed with COVID-19. Both mildly sick patients and those requiring hospitalization had their medical histories exposed in the data leak.
Another data leak on the e-SUS-Notifica system also exposed database login credentials through the source code. The online system allows Brazilians to register and receive the official government’s COVID-19 notifications. The data leak was discovered in June by the NGO Open Knowledge Brasil (OKBR). Technology firm Zello, formally MBA Mobi, developed the system and has earned more than $8.5 million from Brazil’s health ministry since 2017.
Exposing medical records puts millions at risk of cybercrime
Health records fetch a good price in the black market for containing large amounts of personal information. Cybercriminals could use the stolen medical records to blackmail patients and healthcare providers because of their sensitive nature.
The exposed medical records also put millions of Brazilians at risk of financial fraud, identity theft, and account takeovers. Threat actors could use personal details to create fake profiles for committing more crimes.
Worse, most hospitalized patients could be unaware of the data leak or unable to stop any fraudulent activities.
The recent data leaks occur when Brazil’s economy is ailing, and the country’s COVID-19 fatalities are the second-highest in the world.
Given the predictable pattern of Brazilian health systems’ data leaks, it seems that the affected systems were developed by a single developer with little cybersecurity knowledge. Besides, any amateur software developer knows that website’s code could be viewed from the browser and that Base64 encoding does not hide data from attackers.
Source: CPO Magazine
Photo by Hush Naidoo on Unsplash