[ad_1]
The personal information of patients with suspected or confirmed Covid-19 diagnoses was available on the Internet for almost a month after the passwords of the Ministry of Health were published on an open platform, according to the newspaper “O Estado de S. Paulo” in a published report. this Thursday (26).
Passwords allowed access to data such as CPF, address, telephone number and pre-existing diseases of at least 16 million people nationwide, according to the newspaper (see details below).
The data was published by an employee of the Albert Einstein Hospital, in São Paulo, on a website to share programming codes used by programmers and data scientists, also according to “O Estado de S. Paulo”.
In a statement issued on Thursday (26), the hospital said that it “learned” on Wednesday afternoon that “an employee hired to provide services to the Ministry of Health had filed information on access to certain systems without adequate protection.” (See full text at the end of the story).
Einstein said that the employee was fired “for violating the internal rules adopted to guarantee the protection and security of the data.” According to the note, “there was no disclosure of any data by the employee,” and the hospital “does not have access to it.”
In a statement prior to the hospital, the Health Ministry stated that Einstein was taking action for “a possible leak of files containing username and password to access information” through an open data search engine called Elastic Search .
Still according to the folder, the hospital said that “a spreadsheet was mistakenly posted on a source code hosting platform.” (See full text at the end of the story).
Neither Einstein nor the Health Ministry confirmed the number of patients whose information may have been exposed after the passwords were published.
According to “O Estado de S. Paulo”, with the published passwords, it was possible to access records related to Covid-19 in two federal government systems: one with notifications of suspected and confirmed cases of the disease and another with hospitalizations for severe acute respiratory syndrome (SARS).
SARS can be caused by various respiratory viruses, but this year, almost 98% of cases in Brazil are caused by the Covid-19 virus, according to data from Fiocruz. Data from SRAG admissions have been used to more accurately estimate the number of Covid cases in the country, which are underreported due to little evidence.
The newspaper said it received a complaint with the link to the page where the passwords were available. According to the report, the spreadsheet with the data was published on October 28.
In the note of this Thursday (26), Einstein said that the information “was immediately withdrawn and the fact was communicated to the Ministry of Health so that the necessary measures be taken to guarantee the protection of said information.”
The Ministry of Health reported that the SUS Computing Department (DataSUS) “immediately revoked all access to the usernames and passwords that were contained in that spreadsheet.”
Also according to Saúde, the databases “are not easily accessible, since only the login and the password are not enough to reach the information contained in the databases, but rather a set of technical factors.”
Government member data
The report indicates that President Jair Bolsonaro and at least 7 other ministers were affected by the spill, including Health Minister Eduardo Pazuello; the Minister of Citizenship, Onyx Lorenzoni; and the Minister for Women, Family and Human Rights, Damares Alves.
The data was also presented by the governor of São Paulo, João Doria (PSDB), and 16 other governors, in addition to the mayors of the Chamber, Rodrigo Maia (DEM-RJ), and the Senate, Davi Alcolumbre (DEM-AP) , according to the newspaper.
Still, according to the report, “both public and private patients had their data exposed,” because the notification of suspected and confirmed cases by Covid is mandatory for all hospitals.
Note from Albert Einstein Hospital (11/26):
São Paulo, November 26, 2020 – Hospital Israelita Albert Einstein learned on Wednesday afternoon, 11/25, that an employee hired to provide services to the Ministry of Health had archived access information to certain systems without appropriate protection.
This information was immediately withdrawn and the event was communicated to the Ministry of Health so that the necessary measures be taken to guarantee the protection of said information.
Einstein points out that the employee did not disclose any data and that the hospital does not have access to it. They are archived in a database of the Ministry of Health and used in a Covid-19 pandemic monitoring program. The employee was even hired in Brasilia.
The organization reiterates its commitment to information security and data protection and reports that it has already started investigating the incident. Furthermore, on the morning of Thursday 11/26, the employee was fired for having violated the internal regulations adopted to guarantee the protection and security of the data ”.
Note from the Ministry of Health:
The Health Ministry reports that it held a meeting with the Albert Einstein Israelite Hospital – with whom it has an alliance through Proadi – to clarify the facts. The hired professional acts in the MS as a data scientist and began activities on 09/14/2020 and, within the scope of the Ministry’s security measures, in compliance with the compliance and confidentiality protocols, by signing the term of responsibility before accessing the e-SUS Notifica database.
The Hospital informed the Ministry of Health that it had initiated an investigation process. The hospital’s cybersecurity team is taking all measures to contain a possible leak of files containing username and password to access system information through Elastic Search. The institution also reported that a spreadsheet was mistakenly posted on a source code hosting platform. This document has been removed and potential sites or cyberspaces are being tracked where the data may have been replicated. The hospital confirmed that there was a human error on the part of one of its employees, not the system.
The IT Department of the SUS (DataSUS) immediately revoked all access to the logins and passwords that were contained in that spreadsheet. It is important to bear in mind that it is not easy to access the data, since only the username and password are not enough to reach the information contained in the databases, but a set of technical factors. The Ministry of Health emphasizes that all the technicians who have access to its information systems sign a term of responsibility for the use of the information and all are aware that the disclosure of personal information is subject to criminal and administrative sanctions ”.
