Brazil Investigates Security Failures in Breach Affecting 500,000 Patients

15.07.2026

Brazil Investigates Security Failures in Breach Affecting 500,000 Patients

Brazil’s National Data Protection Authority, ANPD, has opened administrative sanction proceedings against Instituto Saúde e Cidadania (Isac), an organization that manages public healthcare facilities across several Brazilian states, including Goiás, Rio Grande do Sul, Bahia, Alagoas, Piauí, and Tocantins. The proceedings concern alleged failures to comply with personal data protection requirements following a large-scale ransomware attack.

The incident occurred in 2025 and affected approximately 500,000 patient records. Of those affected, 78,772 were children and adolescents, while 47,921 were elderly individuals.

The attackers may have gained access to sensitive personal information, including health data such as:

  • Names and dates of birth
  • Outpatient visit records
  • Examination histories, medical records, and prescriptions
  • Information on hospitalizations, diagnoses, and medical procedures

ANPD is investigating whether Isac had implemented the appropriate technical and organizational security measures required under Brazil’s General Data Protection Law, LGPD. The regulator has also raised concerns about the organization’s response after the attack.

Isac argued that the incident did not pose a significant risk to patients because the attackers had allegedly accessed only administrative information and databases related to contracts that had already expired. However, the organization failed to provide sufficient technical evidence to support this assessment.

In addition, Isac did not notify each affected individual directly, instead publishing a notice on its website. According to ANPD, the notice was incomplete, as it did not specify the date of the incident, the categories of data and individuals affected, or the measures taken by the organization before and after the attack. The regulator also noted that Isac’s website did not provide information about the person responsible for personal data processing.

The organization has been given ten business days to submit its defense. If the violations are confirmed, ANPD may impose sanctions under the LGPD, ranging from an official warning to a fine of up to 2% of the organization’s revenue. The regulator may also temporarily restrict or fully prohibit activities involving the processing of personal data.


The consequences of a data breach can be severe. That is why the key question is not only how to limit the damage after an incident, but how to prevent it through timely detection of suspicious activity, proactive security control, and continuous monitoring.

Check the compliance section to learn how SearchInform solutions help organizations meet common regulatory requirements.


Letter Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyber incidents.