Brazil's national public health system, SUS (Sistema Único de Saúde), suffered a critical data breach in September 2024 when a dark-web trader posted what was claimed to be a full replica of Datasus, the national patient database that underpins the entire system. A torrent shared on 18 September advertised 177.9 million rows, effectively a record for every living and deceased Brazilian on file. Sample files matched the schema used by official SUS enrollment systems. No government agency has confirmed how attackers obtained the data, though threat analysts who examined sample slices found records timestamped between 2015 and 2023, suggesting a recent exfiltration rather than an aggregation of older leaks. The breach was carried out via social engineering, with the data pathway traced as a direct extraction from the database infrastructure. The exposed records included full names, Brazilian government ID numbers (CPF), Social Security information, phone numbers, and home addresses. Because CPF numbers and National Health Card numbers are permanent identifiers that rarely change, this dataset is particularly dangerous. Within 24 hours of the initial post, Brazilian Telegram channels were offering CPF lookups on demand, and criminal forums were bundling the archive into combo lists targeting banks and financial technology companies. A 90 GB cloud-hosted copy of the data remained accessible for at least a week after takedown requests were filed, leaving the information widely distributed before any containment was possible. Brazil's National Data Protection Authority (ANPD) opened a formal inquiry, and the Federal Police launched an investigation that led to the arrest of a suspected data broker accused of selling fragments of the archive internationally. Given the population-scale nature of the breach, no formal notification to affected individuals has been documented. For the estimated 178 million people whose records were exposed, the practical risks include identity theft, prescription fraud, and targeted phishing campaigns using their real personal and health system details.

National public-health systems collect patient identity, contact details, appointment history, insurance or eligibility records, treatment data, and healthcare-administration records across large care networks.

Datasus and the broader SUS digital infrastructure have been subjects of ongoing modernization efforts, including expansion of the Rede Nacional de Dados em Saúde, a national health data network initiative. Brazil's data protection framework — the LGPD, enacted in 2020 — governs the handling of health data within the system. The adequacy of Datasus security practices has been a recurring concern in Brazilian data protection circles.