A major healthcare data breach has affected Brazil’s largest medical cooperative, Unimed, after an unsecured Kafka server exposed over 14 million private messages between patients and doctors. The leaked data includes highly sensitive medical information, uploaded documents, images, and identifiable personal records.
Unsecured Kafka Instance Left Millions of Health Records Accessible
The Cybernews research team discovered an unprotected Apache Kafka instance linked to Unimed’s messaging systems. The server facilitated real-time communication between patients, doctors, and Unimed’s chatbot “Sara.” Researchers accessed over 140,000 messages and estimate that at least 14 million were transmitted via the insecure channel.
The exposed records included:
- Names
- Phone numbers
- Email addresses
- Unimed card numbers
- Uploaded pictures and documents
- Full chat transcripts
“The leak is very sensitive as it exposed confidential medical information. Attackers could exploit the leaked details for discrimination and targeted hate crimes, as well as more standard cybercrime such as identity theft, medical and financial fraud, phishing, and scams,” researchers said.
Exploitable Vulnerability Posed Broader Security Threats
Due to the nature of the exposed Kafka system, researchers noted that an attacker could potentially send, delete, or alter messages in real time. This would allow malicious actors to impersonate users or manipulate medical interactions, increasing the risk of widespread fraud.
Unimed, which serves around 15 million clients, acted to close the exposed instance after being notified. The timeline of the incident is as follows:
- Leak discovered: March 24, 2025
- Initial disclosure: March 31, 2025
- Leak closed: April 7, 2025
Risks Tied to Healthcare Data Exposure
Healthcare information is among the most valuable assets in cybercrime circles. The exposed messages and associated data could be weaponized for:
- Identity theft
- Insurance and medical fraud
- Blackmail
- Targeted phishing campaigns
- Impersonation for financial or political gain
The scale and sensitivity of the breach amplify concerns around data protection in healthcare systems, especially when real-time communications are involved.
Security Recommendations to Prevent Recurrence
The researchers advised Unimed to:
- Restrict Kafka Broker access to authorized IPs
- Enable built-in authentication and authorization
- Regularly audit exposed services and communication logs
At the time of writing, Unimed has not issued a public response to the breach.
