Millions of sensitive patient-doctor chats were exposed after a major misconfiguration at Brazil’s largest healthcare cooperative.
Unimed, the world’s largest healthcare cooperative with roughly 15 million clients, suffered a data exposure involving an unsecured Kafka instance. Researchers at Cybernews discovered that millions of private messages exchanged between patients, doctors, and Unimed’s chatbot ‘Sara’ were left accessible without authentication.
The exposed data included uploaded documents, photos, personal messages, and identifiable user information. Although researchers directly intercepted around 140,000 messages, system logs suggest that at least 14 million messages may have been at risk during the breach window.
The leak stemmed from an unprotected Kafka broker, an open-source system used for handling real-time data streams. The exposed instance included communication logs between patients and Unimed associates, as well as chat history with the platform’s automated assistant.
Exposed information reportedly included:
Researchers noted that the nature of the misconfiguration could have allowed malicious actors not only to access but also to manipulate the data, potentially sending, editing, or deleting messages on behalf of users.
After researchers notified Unimed, the vulnerable server was taken offline on April 7, 2025. In a formal statement issued after the article was published, Unimed confirmed the incident was identified in March and said there is currently “no evidence, so far, of any leakage of sensitive data from clients, cooperative physicians, or healthcare professionals.” The company described the exposure as an “isolated incident” and said an in-depth investigation is still ongoing.
Cybernews researchers, however, stated the serious risks involved, noting that exposed healthcare data could be misused for identity theft, financial fraud, discrimination, or blackmail.
Misconfigured cloud infrastructure continues to pose serious risks, particularly in healthcare settings where real-time platforms transmit sensitive information. The Unimed incident exposed a system flaw that could have allowed interception or manipulation of live communications, although no confirmed exploitation has been reported. With more healthcare providers relying on real-time technologies, strong access controls, authentication protocols, and continuous monitoring are needed to reduce the risk of similar exposures.
Apache Kafka is a platform used to stream data in real time between services. In this case, Unimed used it to facilitate live messaging but left the system publicly accessible without proper security controls.
Without authentication or IP restrictions, anyone who finds the instance can view or even interfere with the data streams, compromising both privacy and system integrity.
In addition to identity theft, attackers could impersonate users, alter medical messages, or use private health data to extort or harass individuals.
Live messaging platforms transmit data continuously and often lack persistent storage, making traditional security tools harder to apply. If improperly secured, they provide direct access to unfiltered user data.
Providers should restrict access using IP whitelisting, require user authentication, enable encryption, and monitor all real-time infrastructure for unusual activity or configuration errors.