The data of Brazil President Jair Bolsonaro was among the personal and health information of 16 million COVID-19 patients in the country that were exposed online. This did not result from a hack, but after a hospital employee shared on GitHub a spreadsheet of access keys various government systems including usernames and passwords. Also included by the leak are 17 provincial governors and seven ministers.
While the spreadsheet has already been removed from GitHub, government authorities already revoked access keys and changed their system passwords to avoid further compromise.
Brazil Health Ministry Password Leak
According to ZDNet, the leak was first reported by Brazilian newspaper Estadao after a GitHub user spotted the leaked spreadsheet that was uploaded on the GitHub account of an Albert Einstein Hospital employee.
The newspaper analyzed the data in the spreadsheet, which contains passwords to various sensitive government systems, before notifying the Sao Paolo hospital as well as the Brazilian Ministry of Health.
Among the exposed systems were Sivep-Gripe and E-SUS-VE, which are two government databases being used to store COVID-19 patients credentials. The Sivep-Gripe system is being used to keep track of hospitalized cases while the E-SUS-VE database is for recording COVID-19 patients having mild symptoms.
According to Estadao report, health information and personal data of 16 million Brazilians across 27 states stored in these two databases have been exposed for a month in GitHub’s website. These details include names, addresses, telephone numbers, individual taxpayer’s ID as well as their pre-existing medical conditions, medication regimes, and medical history.
Global health and medical app security issues
The security breach is not unique to Brazil as other countries also had leaks and vulnerabilities in their COVID-19 systems and apps. These include those used in Wales, Germany, India, and New Zealand.
In September, a study published by Intertrust analyzed 100 iOS and Android medical and healthcare apps being used by healthcare organizations across the globe. This showed that 71% of these apps show at least one high security vulnerability, which can readily exploit and result in significant loss or damage. Also, 91% of medical apps have weak or mishandled encryption, making them at high risk of intellectual property theft and data exposure.
It also shows that 28% of iOS apps and 34% of Android apps are susceptible to extraction of encryption key while about 85% of contact tracing apps for COVID-19 can leak data. Moreover, the study also found that majority of health apps have multiple security issues linked to data storage.
Intertrust Chief Technology Officer and General Manager of the Secure Systems product group Bill Horne said the healthcare and medical sectors already had history of security vulnerabilities. “The good news is that application protection strategies and technologies can help healthcare organizations bring the security of their apps up to speed,” Horne noted adding that there are still a lot of work to be done to strengthen the data security.
Addressing Cybersecurity amid pandemic
Since cybersecurity issues are not limited to the medical sector, governments must ensure they are capable of preventing the risk of any threat and mitigating its effect. Here are three ways governments can address data leaks and security breaches.
Strengthen awareness campaigns
Educating people and increasing awareness at all levels and ages can highly reduce the risk of getting screwed up online. It is best to have unified awareness programs between the private sectors and governments.
Adjust national frameworks
Nations should be more vigilant and responsive in developing and updating national cybersecurity measures as well as regulatory and legal framework towards the cyberspace.
Boost international cooperation
Cybersecurity is not a local issue, but a global threat to all individuals and entities. While information sharing already increased since the start of the pandemic, such trend should be maintained across all cyber-related issues.