RIO DE JANEIRO, BRAZIL – Personal details of millions of Brazilians infected with Covid-19 have been exposed after passwords to systems from the Ministry of Health (MoH) were openly published online, it has been revealed.
According to Brazilian newspaper O Estado de S. Paulo, the passwords were published on the code hosting platform GitHub by an employee from Albert Einstein Hospital, one of the main private healthcare organizations in Brazil. The hospital collaborates with the Ministry on projects under a cooperation agreement between the public and private sectors for the national advancement of healthcare.
In addition, the report noted that as many as 16 million patients from the public and private healthcare system had their data exposed, since notification of suspected and confirmed Covid-19 cases is mandatory for all hospitals. None of the institutions have confirmed the exact number of records that were accessible as a result of the leak.
The leak has exposed details including address details, as well as previous medical history and social security numbers of citizens and senior politicians including President Jair Bolsonaro and at least seven other ministers and 17 state governors and leaders of both Houses of Congress.
Also according to the report, the spreadsheet with the passwords remained available for nearly a month. The story added that with that information, it was possible to access two key federal government systems, which record notifications of suspected and confirmed Covid-19 cases and another with hospital admissions for Acute Respiratory Syndrome conditions, which include Covid-19.
The Ministry of Health said in a statement that its IT department had “immediately revoked all access to the logins and passwords that were contained in the [leaked] spreadsheet.” It added that the hospital informed the MoH that it has started a fact-finding process about the incident, the statement said.
”The hospital’s cyber security team is taking all measures to contain a possible leak of files containing login and password to access system information via Elastic Search,” it noted.
According to the statement, the file containing the passwords has been deleted and potential websites or cyberspaces where data may have been replicated are being tracked. The hospital also confirmed that the incident that been prompted by a human error by one of its employees rather than a system fault.
Also according to the MoH, the databases ”are not easy to access, since only login and password are not enough to reach the information contained in the databases – but a set of technical factors.”