Health-ISAC has issued harsh warnings about escalating cyberattacks in Brazil's health sector, urging immediate improvements in information sharing to enhance defenses. The report highlights how intelligence exchanges make patient data and critical infrastructure increasingly vulnerable. It highlights that members of over 140 countries are focused on strengthening the resilience of over 140 patient care to help vulnerable regions evolve rapidly and confront often underreported cyber risks.
“The Landscape and Impact of Brazil's Critical Infrastructure Threats on Health-ISAC's monthly series examining how geopolitical forces shape security in the health sector. It details how the pressures of delivering fragmented care, increasing data centralization, and the combination of cybercriminals and state-supported actors are straining Brazil's healthcare infrastructure.
“From ransomware gangs to disrupt hospital operations to state-sponsored officials targeting sensitive medical data, Brazilian health groups are under pressure from all directions,” said Erol Weiss, Health-ISAC's chief insurance officer. “This report provides coordinated guidance to help health sector entities understand and respond to these risks.”
Diego Mariano added that he is the security lead for hospital Israelita Albert Einstein. “The cybersecurity landscape remains fragmented, and the rise in threats beyond local preparation — vigilance and collaboration are no longer important, but these reports provide a great deal of transparency and context for Brazilian healthcare institutions who don't always access these sections.”
“We are pleased to announce that we are committed to providing a range of services to our customers,” said Denise Anderson, president and CEO of Health-ISAC. “Building stronger information sharing connections across borders will help health systems become more resilient everywhere.”
To address these important issues further, Health-ISAC will invite Latin American health security leaders to a workshop in Mobi in Sao Paulo held at the Israeli Albert Einstein Hospital on September 9th. This workshop provides a unique platform for learning about threats and best practices, working with peers, and building essential relationships to promote collective resilience to Brazil's evolving threat situations. Those interested in participating can register online.
The report highlighted that fragmented care between rural and urban clinical settings increased the risk of violence against health sector employees. Access to centralized healthcare in Brazil relies on large data stores, which are frequently targets for threat actors. Nation-state groups and financially motivated criminals pose the risk of spying, data breaches and tor, while key Brazilian infrastructure organizations face a wide range of threats, including sophisticated state-sponsored campaigns and an increase in unprecedented cybercrime and hacktivist activities. These actors promote important financial and operational risks, particularly for healthcare institutions.
Additionally, petty offenders and organized groups sometimes threaten the continuity of critical services. Copper cable theft is widely used, sometimes causing power outages and destroying traffic light systems, but organized criminal groups have damaged or interfered with maintenance of water stations and communication antennas in low-income areas under control. Such actions create operational challenges for health service providers operating in these regions.
The report also warned that protests and labor actions are likely to escalate ahead of Brazil's 2026 election. The country's polarized political and social environment is expected to promote repeated demonstrations and strikes over the next 18 months, increasing the likelihood of sporadic and violent or destructive events.
The risk of terrorism remains low, but isolated plots continue to surface. Although Brazil has not experienced any terrorist attacks in recent decades, police have halted several conspiracies in recent years that have highlighted the underlying threat of religiously or politically motivated attacks.
The report highlights that increasingly frequent and extreme weather events pose increasingly dangerous to transportation and utilities. While severe droughts threaten hydroelectric power and water transport, heavy rain can cause flash floods and landslides, which can damage urban and road infrastructure widely.
Beyond foreign state-sponsored parties, non-state cybercriminals and hacktivists have also become more prominent threats in recent years, with the former poses significant financial and operational risks for vulnerable organizations, including critical infrastructure entities, and then exercises low dissolution and short-term cyber campaigns.
“Beyond foreign state-related threats, cybercriminals are likely to be more relevant threats as weak enforcement measures against Brazil's illegal digital groups have led to an increase in various domestic cybercrime syndicates that regularly target domestic and international entities,” he added. “While Brazil has become particularly notorious for a broad range of homegrown banking trojans, which primary affect financial account holders, cybercriminals have also pursued more sophisticated ransomware attacks that have impacted private and public sector entities alike (including repeated hacks against Brazilian government ministries), as these groups seek out organizations across industries that have weak cybersecurity defenses and present an opportunity for Extortion.”
Furthermore, financially motivated threat actors are often fascinated by target sectors with a higher propulsion to avoid operational disruption.
“Brazil witnessed the influx of hackitivism as independent, politically motivated groups became more prominent in the wake of the foreign crises from the Russian-Ukrainian War to the Israel-Hamas War,” the report said. “Brazil is not directly affected by these crises, but Brazilian organizations are occasionally caught up in the intersection of hattivist activities, but these groups usually rely on low-level tactics such as distributed services (DDOS) and website denial campaigns, industry companies such as miners and oil and gas companies.”
The Health-ISAC report observed that access to health care is a constitutional right in Brazil. To ensure that citizens exercise this correctly, the Brazilian government operates a Unified Health System (SUS), a national health services model that allows centralised access to care. These large, centralized data stores are targeted by threat actors in the threat environment of the Brazilian health sector. Database security can be a frontline security issue for Brazilian health sector entities. Data breaches involving patient PHI (protected health information) can represent a major reputational damage to individual care providers providing services in Brazil and abroad, and their parent companies.
Health-ISAC recommends several measures to reduce the risk of data breaches. Organizations should audit user permissions to ensure that employees only have access to the role and avoid privilege creep. This limits the damage that threat actors may inflict if a modest account is compromised. Data should be stored in encrypted form to reduce exposure in the event of delamination, make stolen information much more difficult to operate, and reduce potential reputational damage.
Additionally, input validation measurements should be implemented in public data portals to reduce the risk of SQL injection attacks and reduce the likelihood of data delamination or tampering.
In June, Health-ISAC reported a persistent wave of cybersecurity incidents and data breaches affecting healthcare organizations over the past year, as detailed in the first quarter of 2025 Heartbeat. Ransomware activity was slightly soaked in the third quarter of 2024, but rebounded in the fourth quarter and continued to climb in early 2025. The vulnerabilities of VPN providers and the use of compromised credentials remained a consistent threat to the sector.
During this period, Health-ISAC issued 220 target alerts to member organizations with potentially vulnerable infrastructures, allowing security teams to address flaws that were actively exploited before being exploited in attacks.
