A major healthcare cooperative, Unimed, inadvertently left a vast database containing millions of patient-doctor messages, alongside a wealth of sensitive healthcare information, personal documents, and images, completely unsecured online. The alarming discovery was made by cybersecurity researchers from Cybernews, who identified an exposed Kafka instance as the source of the leak.
The investigation revealed that the unsecured chat logs were generated from interactions patients had with “Sara,” Unimed’s AI-powered chatbot, as well as conversations with human doctors. This breach exposed a treasure trove of highly personal data. Cybernews reported its researchers were able to intercept over 140,000 messages during their investigation. However, based on the logs of the leaking instance, they estimate that “at least 14 million” messages could have been sent and potentially exposed through this vulnerability over time.
The compromised information is deeply concerning, including:
-
Uploaded patient pictures and documents
-
Full names
-
Phone numbers
-
Email addresses
-
Unimed card numbers
-
The content of private messages between patients and healthcare providers
Cybernews researchers highlighted the extreme sensitivity of such a leak, warning that attackers could exploit the details for “discrimination and targeted hate crimes, as well as more standard cybercrime such as identity theft, medical and financial fraud, phishing, and scams.”
A particularly modern and chilling threat involves the potential use of Large Language Models (LLMs). While sifting through millions of messages manually is a daunting task, threat actors could feed such an archive into an AI, allowing them to efficiently build detailed patient profiles. These profiles could then be used to draft highly authentic and personalized phishing lures, significantly increasing their chances of success.
Fortunately, upon being notified by Cybernews, Unimed acted to lock down the exposed instance. In a notification email, the healthcare cooperative stated, “Unimed do Brasil informs that it has investigated an isolated incident, identified in March 2025, and promptly resolved, with no evidence, so far, of any leakage of sensitive data from clients, cooperative physicians, or healthcare professionals. An in-depth investigation remains ongoing.” Unimed claims that the vulnerability was not discovered by any malicious actors before Cybernews’ intervention.
For context, a healthcare cooperative like Unimed is a member-owned, nonprofit organization that provides or facilitates access to healthcare services for its members.
This incident serves as a stark reminder of the critical importance of robust cybersecurity measures, especially when dealing with highly sensitive personal and medical data. While Unimed’s swift action to secure the database once notified is commendable, the potential exposure underscores the ongoing threats individuals face and the necessity for constant vigilance from organizations handling their information.
