[ad_1]
At least 16 million Brazilians who had a suspected or confirmed diagnosis of covid-19 had their personal and medical data exposed on the Internet for almost a month due to a password leak from the Ministry of Health systems.
Among the people who saw their privacy violated, with exposure of information such as CPF, address, telephone number and pre-existing illnesses, are President Jair Bolsonaro and family members; the Minister of Health, Eduardo Pazuello; six other ministries, such as Onyx Lorenzoni and Damares Alves; the governor of São Paulo, João Doria (PSDB), and 16 other governors, in addition to the mayors of the Chamber, Rodrigo Maia (DEM-RJ), and the Senate, Davi Alcolumbre (DEM-AP).
The data exposure was not caused by a hacker attack or a system security breach. They were opened for consultation after an official at the Albert Einstein Hospital published a list of users and passwords that gave access to databases of people tested, diagnosed and hospitalized for covid in the 27 states.
According to Einstein, the hospital has access to the data because it is working on a project with the ministry.
With these passwords, it was possible to access the covid-19 records disseminated in two federal systems: the E-SUS-VE, in which suspected and confirmed cases of the disease are reported when the patient presents a mild or moderate condition, and the Sivep-Flu, in which all hospitalizations for Severe Acute Respiratory Syndrome (SARS) are recorded, that is, the most serious patients.
The exposure of the data was discovered by the newspaper O Estado de S. Paulo after a complaint received by the report with the link to the page where the system passwords were available. The spreadsheet with the information was published on October 28 in the personal profile of Wagner Santos, Einstein’s data scientist, on the github platform, used by programmers to host code and files.
The report accessed the system to verify the accuracy of the data. Verifying that the passwords were valid, he searched for records from authorities that had already publicly disclosed the diagnosis or suspicion of covid and confirmed that the data was correct.
In addition to personal patient information, the ministry’s databases contain details considered confidential about medical history, such as the existence of pre-existing diseases or conditions, such as diabetes, heart problems, cancer and HIV.
Some inpatient records even carried information from the medical record, such as what medications were administered during the hospitalization. In Pazuello’s registry, for example, it was possible to know on which floor of the Armed Forces Hospital he was admitted and which professional was discharged.
Both public and private patients had their data exposed. This is because the notification of suspected or confirmed cases of covid to the Ministry of Health is mandatory for all hospitals.
For the lawyer Juliano Madalena, professor of Digital Law and founder of the Direitodigital.io forum, the leakage of passwords and the exposure of data that must be protected by public authorities are concerned. According to the expert, the information can be used for commercial purposes by different companies. “Health data can be used by companies in the industry that want to create specific products aimed at a public, by life insurance companies or health plans in an improper way, many times even with a discriminatory aspect, because they have information about the history of the person’s health, ”he says.
The lawyer says that, considering the General Data Protection Law, it is the duty of those who control and access the data to adopt measures that prevent leaks. In this case, both Einstein and his employee and the Ministry of Health can be held responsible for the collective damage for having exposed information to millions of people.
The information is from the newspaper O Estado de S. Paulo.
