The personal and health data of over 16 million Brazilian COVID-19 patients has been exposed after a hospital employee foolishly uploaded a spreadsheet or names, passwords, and access keys to sensetive government systems on GitHub.
Two government databases, E-SUS-VE and Sivep-Gripe, used to store patients COVID-19 data, were among the systems exposed. The Sivep-Gripe database is used to keep track of hospitalized cases, and E-SUS-VE is used to record COVID-19 patients with mild symptoms. These two specific databases were especially notable as they contained sensitive details such as patient names, ID information and addresses, as well as healthcare records such as medication regimes and medical history.
Commenting on the news, Michael Barragry, operations lead and security consultant at Edgescan, stated: “The first question that springs to mind is why did such a spreadsheet exist in the first place. Without more detail it is hard to say, but it’s difficult to think of a legitimate use case for storing such sensitive data in a spreadsheet. The only real place for data like this is in a modern database, secured with encryption.”
“However, health services in many countries are often operating on legacy infrastructure, so perhaps there are dozens of similar scenarios just waiting to happen,” he added.