Personal details of millions of citizens registered in the Brazilian healthcare system have been exposed in separate blunders relating to data management and security involving the country’s Ministry of Health (MoH).
The most recent incident entails the exposure of details such as names, addresses and telephone numbers, as well as taxpayer registration numbers belonging to approximately 243 million Brazilians. The number is greater than the current population size of 212 million because the leak also included information about deceased citizens.
The leak was first reported by Brazilian newspaper O Estado de São Paulo in an article published last Wednesday (2). According to the article, login and password details to ministerial systems had been openly published online. One of the systems in question, e-SUS Notifica, handles the registration of suspected and confirmed Covid-19 cases, developed in partnership by technology company Zello.
After the problem was exposed, the supplier and the MoH found there was a vulnerability in the integration between the ministerial back-end systems and the system front-end, according to a statement issued by Zello, which noted that the vulnerability was patched by the ministry as soon as the Estado article was published.
The latest leak relating to Brazil’s Ministry of Health follows another security incident, also reported by O Estado de São Paulo four days earlier, relating to the exposure of personal details of millions of Brazilians who tested positive for Covid-19 after passwords to systems maintained by the MoH were openly published online.
The passwords were published on code hosting platform platform GitHub by an employee from Albert Einstein Hospital, one of the main private healthcare organizations in Brazil, according to the report. Both institutions collaborate on projects under a cooperation between the public and private sector for the national advancement of healthcare.
The article estimated that as many as 16 million patients across the public and private healthcare system had their data exposed in that earlier incident, since notification of suspected and confirmed Covid-19 cases is mandatory for all hospitals. None of the institutions confirmed the exact number of records that were accessible as a result of the leak.
The leak has exposed details including address details, as well as previous medical history and social security numbers of citizens and senior politicians including president Jair Bolsonaro and at least seven other ministers and 17 state governors and leaders of the Lower House of Congress and Senate.
Also according to the report, the spreadsheet with the passwords remained available for nearly a month. The story added that with that information, it was possible to access two key federal government systems, inching e-SUS Notifica and another platform which handles hospital admissions for Acute Respiratory Syndrome conditions, which include Covid-19.
At the time of the first incident, the Ministry of Health said in a statement that its IT department had “immediately revoked all access to the logins and passwords that were contained in the [leaked] spreadsheet”. It added that the hospital informed the MoH that it has started a fact-finding process about the incident, a statement said.
“The hospital’s cyber security team is taking all measures to contain a possible leak of files containing login and password to access system information via Elastic Search”, it noted.
The file containing the passwords has been deleted and potential websites or cyberspaces where data may have been replicated are being tracked, the statement added. The hospital also confirmed that the first incident was prompted by a human error by one of its employees rather than a system fault.
Also according to the MoH, the databases “are not easy to access, since only login and password are not enough to reach the information contained in the databases – but a set of technical factors”.
The Brazilian Institute for Consumer Rights (IDEC) filed a request with the Brazilian Prosecution Service to launch an investigation into the first incident, relating to the ministry’s partnership with the hospital: “Once again we are faced with serious security flaws that may have caused damage or even harm a large number of Brazilians”, said Bárbara Simão, lawyer and specialist in digital rights at the institute.
“We can see that not even a government system that stores health data – which should set an example due to the nature of that information – is safe. It is another example that shows the need for both the public and private sectors to invest more in protecting consumers”, she added.
IDEC points out that “the seriousness of the incident still surprises by the lack of basic care related to the security of stored information”. Among the main points highlighted by the institute are the fact that there is a table with login details such as usernames and employee passwords fully available; the failure to enforce basic security measures such as two-factor authentication and the fact that no other strict safety criteria has been adopted regarding security, given the sensitivity of the data and the related exposure risks.
As part of its request for an investigation, IDEC is requesting for a description of the partnership between the hospital and the federal government in terms of handling of personal data; information on the security policy adopted for data sharing and the measures taken to contain the leak.
The institute also reinforces that both the Ministry of Health and the Albert Einstein Hospital must take the necessary measures to adapt the platforms and their policies in relation to the data protection legislations and the the consumer protection code, and that the federal administration should establish a consistent and effective policy for the protection of personal data.