Personal details of millions of Brazilians infected with Covid-19 have been exposed after passwords to systems from the Ministry of Health (MoH) were openly published online, it has been revealed.
According to Brazilian newspaper O Estado de S.Paulo, the passwords were published on code hosting platform GitHub by an employee from Albert Einstein Hospital, one of the main private healthcare organizations in Brazil. The hospital collaborates with the Ministry on projects under a cooperation between the public and private sector for the national advancement of healthcare.
In addition, the report noted that as many as 16 million patients across the public and private healthcare system had their data exposed, since notification of suspected and confirmed Covid-19 cases is mandatory for all hospitals. None of the institutions have confirmed the exact number of records that were accessible as a result of the leak.
The leak has exposed details including address details, as well as previous medical history and social security numbers of citizens and senior politicians including president Jair Bolsonaro and at least seven other ministers and 17 state governors and leaders of the Lower House of Congress and Senate.
Also according to the report, the spreadsheet with the passwords remained available for nearly a month. The story added that with that information, it was possible to access two key federal government systems, which record notifications of suspected and confirmed Covid-19 cases and another with hospital admissions for Acute Respiratory Syndrome conditions, which include Covid-19.
The Ministry of Health said in a statement that its IT department had “immediately revoked all access to the logins and passwords that were contained in the [leaked] spreadsheet”. It added that the hospital informed the MoH that it has started a fact-finding process about the incident, the statement said.
“The hospital’s cyber security team is taking all measures to contain a possible leak of files containing login and password to access system information via Elastic Search”, it noted.
According to the statement, the file containing the passwords has been deleted and potential websites or cyberspaces where data may have been replicated are being tracked. The hospital also confirmed that the incident that been prompted by a human error by one of its employees rather than a system fault.
Also according to the MoH, the databases “are not easy to access, since only login and password are not enough to reach the information contained in the databases – but a set of technical factors”.
Consumer rights non-profit Idec has requested an investigation into the flaws in control and digital security measures currently in place around the partnership between the hospital and the government to the Brazilian Prosecution Service.
“Once again we are faced with serious security flaws that may have caused damage or even harm a large number of Brazilians. We see that not even a government system that stores health data, which should be an example by the nature of that information, is safe”, said Bárbara Simão, lawyer and specialist in digital rights at Idec. “This is another example that shows the need for both the public and private sectors to invest more to protect consumers.”
In the document submitted to the Prosecution Service, Idec points out that “the seriousness of the incident displayed the lack of basic care in terms of the security of stored information”. Among the main points highlighted are the existence of a table with login details, usernames and employee passwords; the failure to enforce of basic security measures such as two-factor authentication, and the fact that no other strict security criteria has been adopted, given the sensitivity of the data and the related exposure risks.
Idec is also requesting the federal prosecutors to request a description of the details around the partnership between the hospital and the federal government in relation to handling personal data, as well as information on the security policy adopted for data sharing and the measures taken to contain the leak and minimize damage to the affected citizens.
The institute has also reinforced that both the Ministry of Health and the Albert Einstein Hospital must take the necessary measures to adapt the platforms and their policies in relation to the general data protection regulations and consumer rights regulations, and that the federal administration should also establish a consistent and effective policy for the protection of personal data.