The world’s largest healthcare cooperative, Unimed, left an exposed instance that leaked millions of patient-doctor messages. The data included uploaded pictures, documents, and other personal information.
Healthcare data is among the most sensitive and private pieces of information any individual has. Unfortunately, no matter how we treat it, it’s not immune to data leaks.
For example, the Cybernews research team discovered an unprotected Kafka instance owned by Brazilian healthcare giant Unimed. The company is a major player in Brazil's healthcare sector, with an estimated 15 million clients.
The exposed instance contained customer conversations with Unimed’s chatbot “Sara”, as well as with their doctors. Kafka is an open-source platform designed to facilitate real-time data transmission between systems.
Attackers could exploit the leaked details for discrimination and targeted hate crimes, as well as more standard cybercrime such as identity theft, medical and financial fraud, phishing, and scams,”
researchers said.
Researchers were able to intercept over 140,000 messages sent via Unimed’s chat feature. However, based on the logs of the leaking instance, at least 14 million messages could’ve been sent in this insecure way.
“The leak is very sensitive as it exposed confidential medical information. Attackers could exploit the leaked details for discrimination and targeted hate crimes, as well as more standard cybercrime such as identity theft, medical and financial fraud, phishing, and scams,” our researchers said.
Unimed has closed the exposed instance after researchers notified the company about the issue.
Only after publishing this article, the company sent us an official statement. It said the “isolated incident” was identified in March, it was promptly resolved, and there was “no evidence, so far, of any leakage of sensitive data from clients, cooperative physicians, or healthcare professionals. An in-depth investigation remains ongoing.”
What details are involved in the Unimed data leak?
The exposed Kafka instance was full of messages between clients, bots, and Unimed associates in real-time. According to the team, the leaked details include:
- Uploaded pictures
- Uploaded documents
- Sent messages
- Names
- Phone numbers
- Email addresses
- Unimed card numbers
Healthcare data is a treasured asset in the cybercriminal underworld as attackers can abuse it in multiple ways. For example, malicious actors could utilize leaked details for identity theft, insurance scams, and targeted phishing attacks. Moreover, health records can be used to blackmail individuals as well as to impersonate them.
What makes the leak even worse is that the team believes that the nature of the incident would have allowed anyone who intercepted the communications to send, delete, or edit messages sent to specific platform users. It’s only a matter of imagination what malicious actors could do with such power.
To mitigate the issue and avoid similar incidents in the future, the team advises Unimed to:
- Ensure the Kafka Broker can only be accessed by authorized consumers and producers by employing IP whitelisting and enabling built-in authorization and authentication features.
- Leak discovered: March 24th, 2025
- Initial disclosure: March 31st, 2025
- Leak closed: April 7th, 2025
Your email address will not be published. Required fields are markedmarked