backOn February 4, 2026, the Brazilian Federal Police launched an operation to investigate a business structure allegedly involved in the illegal access and sale of sensitive personal health data belonging to patients of the Unified Health System (SUS). The case raises potential violations of criminal law and personal data protection regulations, particularly with respect to the unlawful processing of health data, which are classified as sensitive personal data under the Brazilian General Data Protection Law (LGPD).
The investigation was initiated following a notification from the Ministry of Health, through Datasus, regarding a cybersecurity incident involving an artificial intelligence-based tool used in the healthcare context. According to the authorities, the system enabled unauthorized access to confidential clinical information through identifying data, leading to judicial measures aimed at immediately halting the unlawful processing, including the suspension of domains and APIs. Those under investigation may face criminal charges such as invasion of computer devices and qualified receipt of illicit data, in addition to potential administrative and civil liabilities arising from violations of the LGPD.
share
