in

Personal data of 16 million Brazilian COVID-19 patients exposed online

Image: Stefan Schranz

The personal and health information of more than 16 million Brazilian COVID-19 patients has been leaked online after a hospital employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub this month.

Among the systems that had credentials exposed were E-SUS-VE and Sivep-Gripe, two government databases used to store data on COVID-19 patients.

E-SUS-VE was used for recording COVID-19 patients with mild symptoms, while Sivep-Gripe was used to keep track of hospitalized cases.

The two databases contained sensitive details such as patient names, addresses, ID information, but also healthcare records such as medical history and medication regimes.

The leak came to light after a GitHub user spotted the spreadsheet containing the passwords on the personal GitHub account of an employee of the Albert Einstein Hospital in the city of Sao Paolo.

The user later notified Brazilian newspaper Estadao, which analyzed the data and notified the hospital and the Brazilian Ministry of Health.

Estadao reporters said that data for Brazilians across all 27 states was included in the two databases, including high profile figures like the country’s president Jair Bolsonaro, the president’s family, seven government ministers, and the governors of 17 Brazilian states.

The spreadsheet was ultimately removed from GitHub while government officials changed passwords and revoked access keys to resecure their systems.

Since the onset of the COVID-19 pandemic, several governments and government contractors have had problems securing their COVID-19-related apps and databases.

Vulnerabilities and leaks were discovered in COVID-19 apps and systems used in Germany [1, 2], Wales, New Zealand, India, and others.

According to research published by Intertrust this September, around 85% of COVID-19 contact tracing apps leak data in one way or another.


Source: Information Technologies - zdnet.com

Sophos notifies customers of data exposure after database misconfiguration

Donaldson gets permanent appointment as INSLM