Brazil’s Ministry of Health software developer leaks data from 243 million citizens, including living and deceased people

In an unprecedented incident, the personal data of more than 240 million Brazilians have been exposed online because a web development team left the password for a Ministry of Health database in the file code. The information was exposed for about six months and includes records of both living and deceased citizens.

The incident was detected by a researcher from a local environment, who a few days ago revealed a similar situation affecting millions of patients diagnosed with COVID-19 due to neglect of a major hospital in Sao Paulo.

La imagen tiene un atributo ALT vacío; su nombre de archivo es brazilflag.jpg

The report indicates that this finding was made possible in collaboration with the non-governmental organization Open Knowledge Brasil (OKBR), which has revealed multiple similar findings affecting other platforms operated by the Brazilian government. According to the researcher, anyone who presses F12 on their browser could access and analyze the code of the website in question, allowing experts a first approximation of the security with which a website operates.

This finding was made possible by analyzing the e-SUS-Notifica code, a web portal of the Ministry of Health where Brazilian citizens can register and receive official notifications about the current status of COVID-19 in Brazil.

The research mentions that the source code of the website contained the username and passwords stored in Base64, an encoding format that can be easily decrypted to gain access to an exposed website. This failure allowed access to the Single Saúde System (SUS), which stores the records of all Brazilian citizens registered in the public health system from 1989.

The databases in this system contain all the records that a Brazilian citizen can deliver to his government, including full names, home addresses, telephone numbers and medical information. Although the Ministry of Health was notified and this information has been removed from the website code, it is impossible to know if anyone managed to access this information. If illegitimate access to this information is confirmed, we may be talking about the largest data breach in Brazil’s history.