The world’s biggest healthcare co-operative system, Unimed do Brasil, has issued a statement after a report by Cybernews claimed its patients’ data had been compromised.
Cybernews claims its researchers discovered an unprotected Kafka Apache instance owned by Brazilian healthcare giant Unimed. This included customer conversations with Unimed’s chatbot “Sara”, as well as with their doctors.
An open-source platform, Kafka Apache facilitates real-time data transmission between systems.
The researchers say they were able to intercept over 140,000 messages sent via Unimed’s chat feature but estimate that at least 14 million messages could’ve been sent in this insecure way.
“The leak is very sensitive as it exposed confidential medical information,” they told Cybernews, adding that attackers could exploit the leaked details.
The say Unimed has closed the exposed instance after they notified it about the issue.
Meanwhile, Unimed published a statement in response to the incident which says the issue was identified in March and promptly resolved “with no evidence, so far, of any leakage of sensitive data from clients, co-operative physicians, or healthcare professionals”.
The Unimed System is made up of 340 independent medical co-operatives and companies, which bring together 116,000 medical professionals and up to 19.7 million customers.
Related: Co-ops adjust to life on the cyber frontline
According to the statement, the affected digital tool integrates the mobile application and the chat service used by three co-operatives, exclusively for communication between beneficiaries and operators. Unimed says these interactions are limited to searching the accredited network and administrative requests.
“The chat does not have any assistance services nor does it allow direct exchange between doctors and patients,” says the statement.
It also points out that the environment involved is not a data repository, it does not maintain a history of interactions and does not have the capacity to support the volume of messages alleged in the disclosure.
According to the statement, the isolated occurrence “does reflect on the system as a whole” since the 340 co-ops and companies function independently of each other.
The statement reiterates Unimed’s commitment to health and the protection of the right to privacy of its beneficiaries, co-operative physicians, employees and partners, adding that “every situation is analysed with technical rigor and institutional responsibility”.
“The Unimed System maintains the National Data protection and Privacy Governance Program and continually invests in Information Security,” it adds.
It says there are “robust initiatives” for:
• raising cybersecurity standards in all co-operatives;
• compliance with the General Data Protection Law and international best practices;
• continuous monitoring and rapid response to incidents;
• partnerships with strategic technology suppliers, global leaders in security solutions and digital infrastructure.
“The Unimed System continues to operate with transparency, responsibility and commitment to the trust of Brazilian society, maintaining the highest standards of security and digital governance,” added the statement.
Cybernews has been contacted for further information.
