I spent a few months in São Paulo working on a project with Hospital das Clínicas.
No matter how many times I saw it, the sheer number of contests in which people and websites would ask for a CPF was astonishing.
For Americans, imagine if you were asked if you want to enter your Social Security Number at the supermarket, or when ordering online, or to sign up for a gym membership.
It is not a fair comparison to mention SSN, since the US law enforcement and fraud prevention not even comparable. You can ruin someone's life by exploiting their SSN, but in Brazil, the damage that can be done by knowing your CPF is way lower, specially because it is supposed to be a public number and security is implemented in other ways.
That said, yeah, the CPF can be used to do cross company identification, BI/AI/Data science and all sorts of optimizations in the marketing and can be used to scam you. But lets be honest here: Software industry in Brazil is mostly incompetent and largely lacking the expertise to make it happen. A few companies might do well using this data, but the cost is so high, for so little gain, it is completely laughable in comparison of what US companies just with your email and phone paired together.
They can tell weather a CPF number is valid or not. But I have tried giving them 123.456.789-09 which is mathematically valid, but it wasn't accepted. Maybe they have a verification for the actual existence of the number.
I don't know how it works in Brazil, I couldn't find any info about it through a quick search, but at least in Chile our equivalent ID number is public knowledge.
Yea, I found that strange. I wasn’t there long, but I found an insurance website which would show name/address/dob/phone number && RUT, when I entered a car / moto rego plate.
Which effectively meant any rego may as well be any / all those details. I’m sure there are plenty of other examples.
I changed the title to give the correct context for international readers, a literal one would be "Ministry of Health password leak exposes data on 16 million covid patients"
Ministry of Health password leak exposes data on 16 million covid patients
Albert Einstein's employee published on the Internet a list of users and passwords that gave access to databases of tested, diagnosed and hospitalized; authorities such as Bolsonaro had their privacy violated
Fabiana Cambricoli, O Estado de S.Paulo
26th November 2020 | 05h00
At least 16 million Brazilians who were diagnosed with suspected or confirmed covid-19 were left with their personal and medical data exposed on the Internet for almost a month because of a leak of passwords from Ministry of Health systems.
Records have confidential medical information, such as clinical history and medications used on the patient
Among the people who had their privacy violated, with exposure of information such as CPF, address, telephone and pre-existing diseases, are President Jair Bolsonaro and family members; the Minister of Health, Eduardo Pazuello; six other holders of ministries, such as Onyx Lorenzoni and Damares Alves; the governor of São Paulo, João Doria (PSDB), and 16 other governors, in addition to the presidents of the Chamber, Rodrigo Maia (DEM-RJ), and the Senate, Davi Alcolumbre (DEM-AP).
The data exposure was not caused by a hacker attack or by a system security failure. They were opened for consultation after an employee of Albert Einstein Hospital disclosed a list of users and passwords that gave access to the databases of people tested, diagnosed, and hospitalized by covid in the 27 states. According to Einstein, the hospital has access to the data because it is working on a project with the ministry.
With these passwords, it was possible to access covid-19 records released in two federal systems: the E-SUS-VE, in which suspicious and confirmed cases of the disease are reported when the patient has a mild or moderate condition, and the Sivep-Gripe, in which all hospitalizations for Severe Acute Respiratory Syndrome (SARS) are recorded, that is, the most severe patients.
The data exposure was discovered by Estadão after a report received by the reporter with the link to the page where the system passwords were available. The spreadsheet with the information was published on October 28 in the personal profile of Wagner Santos, Einstein's data scientist, on the github platform, used by programmers to host codes and files.
The report accessed the system to check the veracity of the data. When verifying that the passwords were valid, it searched for records of authorities who had already publicly disclosed diagnosis or suspicion of covid and confirmed that the data were correct.
The Ministry's databases bring, besides the patients' personal information, details considered confidential about the clinical history, such as the existence of diseases or pre-existing conditions, among them diabetes, heart problems, cancer and HIV.
Some records of hospitalized patients brought information from the medical records, such as which medications were administered during hospitalization. In Pazuello's registry, for example, it was possible to know on which floor of the Armed Forces Hospital he was hospitalized and which professional he discharged during his stay.
Both public and private patients had their data exposed. This is because the notification of suspected or confirmed cases of covid to the Ministry of Health is mandatory to all hospitals.
For the lawyer Juliano Madalena, professor of Digital Law and founder of the righitodigital.io forum, the leakage of passwords and exposure of data that should be safeguarded by public authorities is worrying. According to the expert, the information can be used for commercial purposes by different companies. "Health data can be used by companies in the industry that want to create specific products aimed at a public, by life insurance companies or health plans in an improper way, often even with discriminatory aspect, because you have the information about the health history of the person," he says.
The lawyer says that, considering the General Law of Data Protection, it is duty of who controls and accesses the data to adopt measures that avoid leaks. In this case, both Einstein and his employee and the Ministry of Health can be held responsible for collective damage for having exposed information from millions of people. Even when they do not act purposefully, those responsible for leaks of personal and sensitive data may be compelled to pay compensation for collective damage.
Ministry of Health and Einstein to investigate responsibility
After being reported by Estadão about the leakage of passwords from federal systems, Albert Einstein Hospital and the Ministry of Health said that the access keys were removed from the Internet and exchanged in the systems, information confirmed by the report. They also stated that an internal investigation will be opened by Einstein to ascertain the responsibilities.
Einstein stated that it was only communicated yesterday afternoon, after contacting the report, that "a collaborator would have filed information of access to certain systems without the adequate protection". The hospital says to have communicated the Ministry of Health so that "the measures were taken to assure the protection of the referred information".
Einstein also stated that all its employees undergo digital security training and that "it will take the appropriate administrative measures". Asked about the type of service it provided to the ministry, the hospital informed that it is a project of the Institutional Development Support Program of the Unified Health System (Proadi-SUS) in which epidemiological data were used to make predictive analysis of the pandemic.
The report questioned the institution why it had access to personal data and not only unidentified information and was informed that the database is not available to Einstein and only to the hospital employee who was based at the Ministry of Health itself.
The federal agency confirmed the partnership and said it held a meeting with Einstein to clarify the facts. He said that the professional Wagner Santos, who published the passwords, is hired by Einstein and works in the ministry since September as a data scientist. "In the scope of the ministry's security measures and in compliance and confidentiality protocols, he signed a term of responsibility before accessing the e-SUS Notifica database," said the federal folder.
According to the ministry, Einstein confirmed that there was human failure of one of his collaborators - and not of the system - and informed that he initiated the process of ascertaining the facts. The agency said it is performing "the tracking of possible sites or cyberspaces where the data may have been replicated.
The folder also said that the SUS Computing Department (DataSUS) immediately revoked all access to logins and passwords that were contained in the aforementioned spreadsheet released by Einstein's employee. "The Ministry of Health emphasizes that all technicians who have access to their information systems sign a term of responsibility for the use of the information and all are aware that the disclosure of personal information is subject to criminal and administrative penalties.
Also searched for the report, Einstein's employee Wagner Santos confirmed that he published the password spreadsheet in his profile on the github platform to perform a test in the implementation of a model, but forgot to remove the file from the public page.
> The spreadsheet with the information was published on October 28 in the personal profile of Wagner Santos, Einstein's data scientist, on the github platform, used by programmers to host codes and files.
> Einstein's employee Wagner Santos confirmed that he published the password spreadsheet in his profile on the github platform to perform a test in the implementation of a model, but forgot to remove the file from the public page.
Unintentional leaking of credentials is real! Oh and yes, it took a month to hit the news!
> In this case, both Einstein and his employee and the Ministry of Health can be held responsible for collective damage for having exposed information from millions of people. Even when they do not act purposefully, those responsible for leaks of personal and sensitive data may be compelled to pay compensation for collective damage.
He f’d up bad, but the Brazilian government can literally ruin his entire life if they decide to make him the scapegoat of all this.
I think that "such system" was put together using Django (or equivalent) over a 72h sprint on Friday to be "working by Monday" as an emergency measure.
I actually disagree that people should be able to opt out of contact tracing during a pandemic. Also, how do you opt out of a medical history? Doctors cannot treat you properly without one. I think proper infosec is the only way here or pen and paper if one cannot do that.
Absolutely, that's "data minimisation" in GDPR! All of the data collected should have been available only to the doctors with a need and researchers should have gotten an anonymised DB. But there is a problem of ML-assisted deanonymisation, so it cannot be a solution alone.
I agree with you in spirit but my experience is those data collection consent forms are mere formalities. I have seen my data collected/shared in numerous cases even when I didn't consent or affirm my agreement to such.
Not trying to demoralize. My point is I want something with real teeth (legal teeth). Damage to a company's reputation can be repaired in a quarter or few.
As much as I feel for people whose private data has been leaked, I'm excited for what data scientists might be able to find. I'm also mixed on the ethics of using data like that.
