
Brazil’s National Data Protection Agency, ANPD, has opened administrative sanction proceedings against Instituto Saúde e Cidadania (Isac), an organization that manages public healthcare facilities across several Brazilian states, including Goiás, Rio Grande do Sul, Bahia, Alagoas, Piauí, and Tocantins. The proceedings concern alleged failures to comply with personal data protection requirements following a large-scale ransomware attack.
The incident occurred in 2025 and affected approximately 500,000 patient records. Of those affected, 78,772 were children and adolescents, while 47,921 were elderly individuals.
The attackers may have gained access to sensitive personal information, including health data such as:
ANPD is investigating whether Isac had implemented the appropriate technical and organizational security measures required under Brazil’s General Data Protection Law, LGPD. The regulator has also raised concerns about the organization’s response after the attack.
Isac argued that the incident did not pose a significant risk to patients because the attackers had allegedly accessed only administrative information and databases related to contracts that had already expired. However, the organization failed to provide sufficient technical evidence to support this assessment.
In addition, Isac did not notify each affected individual directly, instead publishing a notice on its website. According to ANPD, the notice was incomplete, as it did not specify the date of the incident, the categories of data and individuals affected, or the measures taken by the organization before and after the attack. The regulator also noted that Isac’s website did not provide information about the person responsible for personal data processing.
The organization has been given ten business days to submit its defense. If the violations are confirmed, ANPD may impose sanctions under the LGPD, ranging from an official warning to a fine of up to 2% of the organization’s revenue. The regulator may also temporarily restrict or fully prohibit activities involving the processing of personal data.
The consequences of a data breach can be severe. That is why the key question is not only how to limit the damage after an incident, but how to prevent it through timely detection of suspicious activity, proactive security control, and continuous monitoring.
Check the compliance section to learn how SearchInform solutions help organizations meet common regulatory requirements.
SearchInform uses four types of cookies as described below. You can decide which categories of cookies you wish to accept to improve your experience on our website. To learn more about the cookies we use on our site, please read our Cookie Policy.
Necessary Cookies
Always active. These cookies are essential to our website working effectively.
Cookies does not collect personal information. You can disable the cookie files
record
on the Internet Settings tab in your browser.
Functional Cookies
These cookies allow SearchInform to provide enhanced functionality and personalization, such as remembering the language you choose to interact with the website.
Performance Cookies
These cookies enable SearchInform to understand what information is the most valuable to you, so we can improve our services and website.
Third-party Cookies
These cookies are created by other resources to allow our website to embed content from other websites, for example, images, ads, and text.
Please enable Functional Cookies
You have disabled the Functional Cookies.
To complete the form and get in touch with us, you need to enable Functional Cookies.
Otherwise the form cannot be sent to us.
Subscribe to our newsletter and receive a bright and useful tutorial Explaining Information Security in 4 steps!
Subscribe to our newsletter and receive case studies in comics!