Personal data of some 16 million Brazilians, including their medical records, was reportedly left exposed for almost a month after a data scientist published passwords for government Covid-19 databases.

A Brazilian newspaper reported that it managed to access the medical records of President Jair Bolsonaro, his family members, seven ministers, including Health Minister Eduardo Pazuello, 17 governors and other high profile figures.

The records were stored in two databases listing people with suspected or confirmed Covid-19 infections and those admitted to hospitals for treatment, the newspaper Estadao said. There were entries for some 16 million Brazilians in them, and they contained some highly sensitive information, including personal details, pre-existing conditions like cancer or HIV, prescribed drugs or even which hospital floor a patient could have been found.

This trove was exposed by a single data scientist, who published a list of logins and passwords necessary to access the databases on his personal page on the computer code repository GitHub. The newspaper said it was tipped off about the existence of the breach and verified the authenticity of the access credentials. The passwords were leaked on October 28 and removed only after Estado started digging into the security breach.

The person responsible for the leak was identified as an employee of the Albert Einstein Hospital in the city of Sao Paulo. He told the newspaper he uploaded the spreadsheet while working on a computer modeling project and forgot to remove it. The passwords have since been changed by the authorities.

The health ministry and the hospital promised a thorough investigation into the leak, but said it apparently happened due to a human error rather than a design flaw in their systems. It was not immediately clear why such sensitive databases seem to be protected only by passwords and didn’t use some form of multiple-factor verification. More robust systems require additional information before giving users access, for example, a short code texted to a person’s phone when they attempt to log in.

If you like this story, share it with a friend!