The Cybernews research team discovered an unprotected Apache Kafka instance belonging to Unimed, the world's largest healthcare cooperative, which resulted in the exposure of sensitive data from millions of Brazilian patients. Unimed, which has approximately 15 million clients, maintained an exposed instance containing customer conversations with the company's chatbot "Sara," as well as communications with physicians. The Kafka platform is an open-source tool designed to facilitate real-time data streaming between systems.

Researchers were able to intercept more than 140,000 messages sent through Unimed's chat feature, but based on the logs of the exposed instance, at least 14 million messages could have been transmitted insecurely. The leak included uploaded photos, documents, and other personal information belonging to patients. Health data is among the most sensitive and private information any individual holds, making this incident particularly serious from a privacy and data protection standpoint.

According to the researchers, attackers could exploit the leaked details for targeted discrimination and hate crimes, in addition to more common cybercrimes such as identity theft, medical and financial fraud, phishing, and scams. The exposure of confidential medical information poses significant risks to affected patients, who may face consequences ranging from personal embarrassment to financial harm and discrimination based on health conditions.

Unimed took down the exposed instance after being notified of the issue by the researchers. In an official statement, the company described the incident as "isolated," stating it was identified in March 2025 and promptly resolved, with no evidence of sensitive data leakage affecting clients, cooperating physicians, or healthcare professionals. The company clarified that the tool in question was an integration between the mobile app and a chat service used by only three cooperatives, exclusively for communication between beneficiaries and operators, limited to searching the accredited network and handling administrative requests — and did not allow direct contact between physicians and patients.

Update: On June 1st, Unimed informed the portal Convergência Digital that it detected an incident but that no data breach occurred. According to the statement: "Unimed do Brasil reports that it investigated an isolated incident, identified in March 2025 and promptly resolved, with no evidence, to date, of any leakage of sensitive data belonging to clients, cooperating physicians, or healthcare professionals. The in-depth investigation remains ongoing."

This post was translated and summarized from its original version using AI, with human review.

Source: Cybernews