Brazil's Health Ministry's Data Leak

Brazil’s Health Ministry’s Data Leak Exposed 243 Million Medical Records for More Than 6 Months

Personal information of more than 243 million Brazilians was exposed for more than six months thanks to weakly encoded credentials stored in the source code of the Brazilian Ministry of Health’s website. The data leak exposed both living and deceased Brazilians’ medical records to possible unauthorized access. The incident was the second reported by Brazilian publication Estadão and among several others recently affecting South America’s largest nation’s healthcare system.

Sistema Único de Saúde data leak exposed patients’ medical records

For more than six months, personal data belonging to anyone registered with Sistema Único de Saúde (SUS), Brazil’s national health system, could be viewed.

The data leak exposed people’s full names, addresses, phone numbers, and full medical records of Brazilians that signed up for the government’s public-funded healthcare system.

Approximately 32 million medical records belonged to deceased Brazilians, given that the country’s population was 211 million in 2019.

The database login credentials were encoded using Base64 encoding, which could be easily decoded. Anybody could have viewed the website’s source code and the database credentials using the F12 keyboard shortcut or the “View Source Code” option from the browser’s menu.

Subsequently, the exposed database logins could have allowed anybody access to Brazilians’ medical records.

Just last month, Estadão also reported another data leak exposing more than 16 million Brazilian COVID-19 patients’ medical records. The breach occurred after an employee uploaded on GitHub a spreadsheet containing usernames, passwords, and the E-SUS-VE system access keys.

The data leak affected high-profile individuals, including Brazilian President Jair Bolsonaro and his family, state governors, and seven cabinet members diagnosed with COVID-19. Both mildly sick patients and those requiring hospitalization had their medical histories exposed in the data leak.

Another data leak on the e-SUS-Notifica system also exposed database login credentials through the source code. The online system allows Brazilians to register and receive the official government’s COVID-19 notifications. The data leak was discovered in June by the NGO Open Knowledge Brasil (OKBR). Technology firm Zello, formally MBA Mobi, developed the system and has earned more than $8.5 million from Brazil’s health ministry since 2017.

Exposing medical records puts millions at risk of cybercrime

Health records fetch a good price in the black market for containing large amounts of personal information. Cybercriminals could use the stolen medical records to blackmail patients and healthcare providers because of their sensitive nature.

The exposed medical records also put millions of Brazilians at risk of financial fraud, identity theft, and account takeovers. Threat actors could use personal details to create fake profiles for committing more crimes.

Worse, most hospitalized patients could be unaware of the data leak or unable to stop any fraudulent activities.

The recent data leaks occur when Brazil’s economy is ailing, and the country’s COVID-19 fatalities are the second-highest in the world.

Given the predictable pattern of Brazilian health systems’ data leaks, it seems that the affected systems were developed by a single developer with little cybersecurity knowledge. Besides, any amateur software developer knows that website’s code could be viewed from the browser and that Base64 encoding does not hide data from attackers.

Source: CPO Magazine

Photo by Hush Naidoo on Unsplash

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on print
Share on email

Latest Blog Posts

dpa gdpr

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the application of the GDPR. They

Read More »

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data