A data leak has compromised the personal and healthcare information of over 16 million virus pandemic patients in Brazil, reported ZDNet. The leak was caused by an internal staff who uploaded a file containing sensitive details on GitHub.
The spreadsheet, uploaded by an employee of the Sao Paolo-based Albert Einstein Hospital, carries various information such as login details and access keys to government systems.
Two of the government databases are E-SUS-VE and Sivep-Gripe, which stores data on pandemic patients with the former focusing on mild symptoms, while the latter taking on hospitalized cases.
Both databases deal with various personally identifiable info such as names, addresses, identification card details, and healthcare records including history and medication treatments. These details can be used for various cyber crimes such as identity theft and fraud.
The issue was discovered by a GitHub user who noticed that the spreadsheet contains login information to the employee’s GitHub account. This discovery was reported to Estadao, a Brazilian newspaper.
Estadao conducted a study about the information and consequently informed the hospital and the Brazilian Ministry of Health.
According to the newspaper’s report, the database covers 27 Brazilian states and includes public personalities such as President Jair Bolsonaro and his family. The leak also affected seven government ministers and 17 governors.
This prompted the removal of the spreadsheet and the changing of passwords for the government systems. The two databases also revoked access to their systems in order to take the necessary security measures.
Techradar noted that both systems are now secured. However, there was no reason given as to why the employee uploaded the spreadsheet on GitHub.
Brazil is not the first country to experience healthcare data issues during the pandemic. Various countries such as New Zealand, India, and Germany saw vulnerabilities, leaks, and breaches for pandemic-related data.
Governments, who have been working with contractors to launch contract tracing solutions, have been having problems protecting patients who use related mobile applications and databases.
However, research shows that about 85% of pandemic contract tracing applications leak information in some way. Some were found mishandling data collected for contact tracing.
The Intertrust 2020 Security Report on Global mHealth Apps also revealed that 71% of medical applications have at least one critical vulnerability. It also found that the need for digital solutions in light of the pandemic “often come at the expense of mobile application security.”