The leak of passwords to access data of 16 million Brazilians who were suspected or confirmed by covid-19 was not the result of a cybercriminal attack. According to Estadão, it was a mistake by a professional of data who would have posted the credentials on his Github profile.
The database was open for consultation for about a month, between October and November, after a data scientist Albert Einstein Hospital publishes a list with access credentials to two systems: E-SUS-VE, which collects data from patients with suspected or confirmed covid-19 and Sivep-Gripe, which collects hospitalization records from patients in a state more serious. Both databases are federal level and gather data from all over Brazil.
The databases are the responsibility of the Ministry of Health and according to the newspaper, the employee had access to these data, as he was working on a project with the government. The goal was to test the implementation of a model, but the employee forgot to remove the file (which was public) from Github.
The data
The systems bring together name, CPF, address, telephone number and pre-existing diseases of about 16 million Brazilians who sought hospitals with symptoms of covid-19. There are still medical record information and what drugs were used in the treatment during hospitalization of some patients.
Brazilian hospitals are required to provide data related to covid-19 to the Ministry of Health. These data are fundamental information for the government to have criteria in the development of treatments and even a vaccine. But they are extremely confidential data, which should belong only to the government for the public good. Since companies (both healthcare and any other area) can use them to offer specific products and solutions aimed at a group or even individually.
Among the records, it is possible to find information from Jair Bolsonaro and his family, in addition to many other political representatives, such as João Dória, Onyx Lorenzoni, Damares Alves, Rodrigo Maia. The data were confirmed by Estadão.
Official positioning
In a press release released on Thursday (26), the Ministry of Health informs that the file has already been removed from Github and that the hospital’s cybersecurity team is already “taking the necessary steps to contain a possible leak of files containing login and password to access system information via Elastic Search”.
The hospital informs does not have access to data, nor to the file with the passwords, but that the employee had, because he was working on a project in partnership with the Ministry of Health. According to the hospital, the employee was fired the same day the leak was made public.
“[Os dados] they are filed in a Ministry of Health database and are used in a Covid-19 pandemic monitoring program. The employee was even leased in Brasília. ”, Says the statement.
Source: Estadão; Ministry of Health; Albert Einstein Hospital.
See the original post at: https://thehack.com.br/vazamento-de-senhas-do-ministerio-da-saude-nao-foi-causado-por-ataque-cibercriminoso/?rand=48873
