Brazil: Idec requests investigation into leakage of 16 million Brazilian COVID-19 patients' data
The Brazilian Institute of Consumer Protection ('Idec') filed a denunciation, on 26 November 2020, at the Federal Public Prosecutor's Office requesting the opening of an investigation about a data breach involving the Ministry of Health of Brazil and the Israelita Albert Einstein Hospital where the personal data of at least 16 million suspected or confirmed COVID-19 patients was exposed, including security numbers, addresses, telephone numbers, and sensitive data on pre-existing illnesses of people across the country, which became available on the internet for almost a month. Furthermore, Idec highlighted that the passwords were stored on a spreadsheet which was published by an employee of the Hospital on a website for sharing programming codes and files, called 'GitHub'.
In the denunciation, Idec points out that 'the seriousness of the incident still surprises by the lack of basic care related to the personal data security'. In addition, Idec requested information and further investigation about:
- the existence of a spreadsheet with logins, users, and employee passwords;
- the non-application of basic security measures such as two-factor authentication;
- reason for use on a large scale even for accessing applications such as email;
- the fact that no other strict safety criteria have been adopted, especially considering the sensitivity of the data and the related exposure risks;
- a description of the partnership between the hospital and the Ministry for the handling of personal data;
- information about the security policy adopted for data sharing; and
- what measures were taken to contain the leak and immediately repair the affected users.
Futhermore, Idec mentioned that the Ministry and the Hospital must take the necessary measures to adapt the platforms and their policies in relation to the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') and the Law No 8.078 of 11 September 1990, Consumer Defence Code Act ('CDC'), as well as pointing out that the Federal Unified Health System ('SUS') administration should establish a consistent and effective policy for the protection of sensitive personal data in a preventative manner.
You can read the press, only available in Portuguese, here.