A failure in Unimed systems has unduly exposed the data of beneficiaries in several cities. Because of it, the registration data, medical history and company information could be accessed by anyone.
The error was discovered by the security group WhiteHat Brasil and published in Digital Look. According to the researchers, the breach exposed data such as full name, CPF, mother’s name, beneficiary code, e-mail and dependents.
The medical history, with records such as exams, x-ray images and death certificates were also exposed, as well as medical logins, internal emails and financial spreadsheets. The loophole allowed anyone to register, edit or delete information from the database.
It even allowed third parties to communicate with customers through the Unimed system. Also according to WhiteHat Brasil, the flaw was found in the company’s unit systems in four cities: Teresina (PI), Parnaíba (PI), Imperatriz (MA) and São Leopoldo (RS).
Unimed do Brasil, which represents the regional units, did not specify how many beneficiaries may have been affected. In a note to the Tecnoblog, the company said that “it continually invests in technologies that guarantee the security of its operations and the protection of the data for which it is responsible”.
He also affirmed that he ensures the security of information and the confidentiality of data of those who relate to the brand. “Valuing the privacy of its beneficiaries, it undertakes to investigate in detail any suspicions of leaks or cyber attacks”.
The statement also points out that each unit of the network has autonomy in its administration, including to use different systems. “Therefore, there is not necessarily a reflection of the situation of a cooperative in the others that make up the System”, indicated Unimed.