Leak exposes personal data for millions of Brazilian COVID-19 patients

Even the country's president had data exposed.

Medical data breaches are serious as a rule, but an incident in Brazil may be particularly severe. According to ZDNet, Brazilian newspaper Estadao has learned that a Sao Paolo hospital worker uploaded a spreadsheet with login details for two government databases to GitHub, exposing personal data for millions of COVID-19 patients. The E-SUS-VE and Sivep-Gripe data sets included patients’ names, addresses, identification and medical histories.

The data included both mild cases as well as patients that needed hospitalization. The access even covered high-profile patients like President Jair Bolsonaro, his family, state governors and seven ministers.

The spreadsheet was pulled from GitHub as officials changed login details and revoked keys to prevent intruders from accessing the data. It’s not clear how many unauthorized people accessed the information.

An exposure like this could easily be dangerous. Patients face the risk of fraud and identity theft. It could be particularly problematic for hospitalized people who might not even have an opportunity to respond to any theft. Criminals could effectively take advantage of patients at their most vulnerable.

It’s also a reminder that healthcare info security doesn’t just involve protecting against hacks. It also involves ensuring that staff handle data responsibly. It only takes one mistake or rogue employee to leak massive amounts of sensitive information, and Brazil is discovering the consequences of these oversights first-hand.