SUS Brazil 2024 Data Breach

Brazil SUS National Health System Breach (2024): 178 Million Patient Records Including SSN & Home Address | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Social EngineeringMedicalFull NameGovernment IDPhone NumberPhysical AddressSocial Security Number
Low SeverityWebsite / service breach

Brazil SUS National Health System Breach (2024): 178 Million Patient Records Including SSN & Home Address

Public healthcare administration and patient records.

Verified by ObscureIQ Intelligence
0/100Breach Risk Index
35Data Value

Breach Intelligence Summary

Entity: SUS Brazil · Actor: Unknown · Sources: 2 references
Attack: Social Engineering
Profile: Government Healthcare System · Public healthcare administration and patient records · National public health database and care infrastructure · Brazil
Timeline: Breach (2024-11-22) · Year (2024)
Exposure: 178.0M records · 5 fields: Full Name, Government ID, Phone Number, Physical Address, Social Security Number
Status: Reported

Executive Summary

Brazil's national public health system, SUS (Sistema Único de Saúde), suffered a critical data breach in September 2024 when a dark-web trader posted what was claimed to be a full replica of Datasus, the national patient database that underpins the entire system. A torrent shared on 18 September advertised 177.9 million rows, effectively a record for every living and deceased Brazilian on file. Sample files matched the schema used by official SUS enrollment systems. No government agency has confirmed how attackers obtained the data, though threat analysts who examined sample slices found records timestamped between 2015 and 2023, suggesting a recent exfiltration rather than an aggregation of older leaks. The breach was carried out via social engineering, with the data pathway traced as a direct extraction from the database infrastructure. The exposed records included full names, Brazilian government ID numbers (CPF), Social Security information, phone numbers, and home addresses. Because CPF numbers and National Health Card numbers are permanent identifiers that rarely change, this dataset is particularly dangerous. Within 24 hours of the initial post, Brazilian Telegram channels were offering CPF lookups on demand, and criminal forums were bundling the archive into combo lists targeting banks and financial technology companies. A 90 GB cloud-hosted copy of the data remained accessible for at least a week after takedown requests were filed, leaving the information widely distributed before any containment was possible. Brazil's National Data Protection Authority (ANPD) opened a formal inquiry, and the Federal Police launched an investigation that led to the arrest of a suspected data broker accused of selling fragments of the archive internationally. Given the population-scale nature of the breach, no formal notification to affected individuals has been documented. For the estimated 178 million people whose records were exposed, the practical risks include identity theft, prescription fraud, and targeted phishing campaigns using their real personal and health system details.

ObscureIQ assessment: Severe risk of identity theft, medical fraud, privacy harm, and healthcare-themed scams. National system scale increases both reach and persistence of downstream harm.

Breach Impact

In September 2024 a dark-web trader posted what was claimed to be a full replica of the Datasus national patient database, advertising approximately 177.9 million rows — effectively every living and deceased Brazilian person on record. The exposed data included names, Brazilian government IDs (CPF numbers), phone numbers, home addresses, and Social Security information. Brazil's National Data Protection Authority opened a formal inquiry. The Federal Police investigation, which evolved into what was termed Operation Data Breach in 2024, led to the arrest of a suspected data broker accused of selling fragments of the archive internationally. Unlike a private company breach, formal notification to affected individuals was not documented as having occurred given the population-scale nature of the exposure.

About SUS Brazil

SUS — the Sistema Único de Saúde — is Brazil's national public health system, constitutionally established in 1988 to provide universal healthcare access to all Brazilian citizens. The system is administered by the Ministry of Health and encompasses hospitals, clinics, laboratories, and the national patient database infrastructure known as Datasus, which underpins clinical records, insurance processing, and public health surveillance across the country. SUS serves the full Brazilian population and is one of the largest public health systems in the world by coverage.

Why They Hold Your Data

National public-health systems collect patient identity, contact details, appointment history, insurance or eligibility records, treatment data, and healthcare-administration records across large care networks.

Recent Developments

Datasus and the broader SUS digital infrastructure have been subjects of ongoing modernization efforts, including expansion of the Rede Nacional de Dados em Saúde, a national health data network initiative. Brazil's data protection framework — the LGPD, enacted in 2020 — governs the handling of health data within the system. The adequacy of Datasus security practices has been a recurring concern in Brazilian data protection circles.

Data Points Exposed

5 verified field types
Full Name High
Government ID Critical
Phone Number
Physical Address High
Social Security Number Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Identity theft and synthetic identity construction using government-issued IDs
  • SIM swap attacks where phone numbers are present
  • Doxxing risk from physical address exposure
Threat vectors:
  • Name-based social engineering
  • Identity fraud with official bodies
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat
  • Full identity theft & synthetic identity fraud

Recommended Actions

If you believe your information may be included:

Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
IdentityTheft.gov
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the SUS Brazil breach?

Brazil's national public health system, SUS (Sistema Único de Saúde), suffered a critical data breach in September 2024 when a dark-web trader posted what was claimed to be a full replica of Datasus, the national patient database that underpins the entire system. A torrent shared on 18 September…

What data was exposed?

Verified fields include Full Name, Government ID, Phone Number, Physical Address, Social Security Number.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation