Conasems Data Breach Exposes 68,000 Users and CPF Numbers in Major Brazilian Health Sector Leak

The Conasems data breach has emerged as an alarming cybersecurity incident targeting the center of Brazil’s public health administration. A threat actor known as @888 is advertising the alleged leak of a sensitive database belonging to Conasems, the Conselho Nacional de Secretarias Municipais de Saúde, which represents all municipal health secretariats across Brazil. The attacker claims that the dataset contains 68,000 unique user records, including CPF numbers, full names, email addresses, administrative roles, and other critical personal information tied to Brazil’s national public health infrastructure. Because the breach is dated November 2025, it represents an active and ongoing threat to both individuals and institutions across Brazil.

Conasems operates as a central political and administrative organization within Brazil’s public health system (Sistema Único de Saúde, or SUS). It coordinates the country’s municipal health secretariats, influences public health policies, manages communications between federal and state health agencies, and plays a vital role in national health governance. A compromise of its database exposes high value personal information belonging to government health officials, regional administrators, medical directors, policy advisors, and system level users. The presence of CPF numbers makes this leak particularly dangerous, as CPF is Brazil’s core national identifier and a critical component used for banking, taxation, government benefits, healthcare services, and background verification.

The Conasems data breach is not an isolated incident. It is the latest event in a systemic cybersecurity crisis affecting Brazil’s public health institutions across 2024 and 2025. Threat actors have repeatedly targeted government affiliated platforms and healthcare IT providers, exploiting weak security controls, outdated software, misconfigured systems, and high value personal data stored within public health databases. The attack involving Conasems represents an escalation because of the attacker’s reputation, the institutional importance of the target, and the nature of exposed static identifiers like CPF.

Background of the Conasems Data Breach

The Conasems data breach was disclosed on a cybercrime forum by the threat actor @888. The leak includes a partial dataset preview along with claims that the full database contains approximately 68,000 affected individuals. The inclusion of CPF numbers means that each record contains highly sensitive PII that can be used for identity theft, credit fraud, illicit financial activity, account takeover attempts, and targeted social engineering. CPF, equivalent in importance to the United States Social Security number, cannot be easily changed and remains bound to a person for life.

This breach follows multiple high profile incidents throughout 2025 that have destabilized Brazil’s public health sector. In September 2025, the KillSec ransomware group attacked MedicSolution, a major healthcare IT provider, leaking 34 gigabytes of patient medical records, including X rays, lab exam data, and internal correspondence. Earlier in January 2025, the National Health Foundation experienced a massive 90 gigabyte breach involving sensitive organizational data. Both incidents exposed deep vulnerabilities across Brazil’s interconnected health sector, including issues with vendor security, outdated platforms, inadequate encryption, and insufficient oversight of third party access.

Brazil’s public health institutions have experienced a dramatic rise in cyberattacks since 2021, with a reported increase exceeding 3,000 percent. This surge is driven by cybercriminals who target systems that store large volumes of valuable PII and health related data, often maintained across distributed, underfunded infrastructure with inconsistent cybersecurity standards. The Conasems data breach is symptomatic of these broader structural weaknesses.

Scope and Nature of the Conasems Data Breach

The threat actor states that the Conasems database contains 68,000 unique users from across Brazil’s public health administration. While the full dataset has not been released publicly, preview samples suggest that the database includes:

• Full names
• CPF numbers (Cadastro de Pessoas Físicas)
• Email addresses and contact details
• Organizational roles and administrative privileges
• Usernames and login metadata
• Account creation or registration details
• Affiliations with municipal or state health secretariats

The presence of CPF numbers significantly elevates the risk associated with the Conasems data breach. CPF is used for nearly all public and private sector transactions in Brazil, including salary payments, tax declarations, banking activities, loan applications, hospital check ins, pharmacy purchases, and job applications. Criminals who obtain CPF data can weaponize it for:

• Identity theft and fraudulent account creation
• Banking fraud and unauthorized credit applications
• Mobile phone account takeover
• Government benefit fraud
• Targeted phishing using accurate personal details
• Dark web resale of full identity kits

This means that the Conasems data breach presents risks not only to municipal health officials but also to broader government supply chain partners, healthcare providers, and anyone interacting with the SUS ecosystem through Conasems managed platforms.

The Conasems Data Breach in the Context of Brazil’s Public Health Cyber Crisis

The Conasems data breach reflects an escalating crisis within Brazil’s public health sector. Over the past two years, Brazil has faced a wave of cyber incidents that highlight structural vulnerabilities across its digital infrastructure.

• MedicSolution was breached by KillSec in September 2025, leaking tens of gigabytes of sensitive medical records.
• The National Health Foundation suffered a massive breach in January 2025 involving high value data used for national health planning.
• Multiple state and municipal health systems have reported ransomware attacks, data leaks, and system outages since 2024.
• Banks, universities, educational platforms, and government ministries have also suffered breaches attributed to threat actors operating in Brazil.

The Conasems data breach stands out because it targets the central council coordinating municipal health departments across the nation. As a political and administrative body, Conasems maintains communication channels, directory information, policy management platforms, and login based systems used by thousands of health officials and municipal administrators. A breach at this level jeopardizes the integrity of nationwide health coordination.

Why the Conasems Data Breach Is Particularly Severe

The Conasems data breach is exceptionally severe for several reasons, each of which contributes to long term systemic risk in Brazil’s public health and national security environment.

Exposure of CPF Numbers

CPF is the single most important personal identifier in Brazil. Its exposure enables credential based fraud, financial crimes, impersonation, and identity theft at a national scale. Unlike passwords, CPF cannot be changed.

High Level Administrative Exposure

The dataset includes individuals who hold government and municipal roles within Brazil’s public health system. These users often have privileged access to systems that manage health policies, data flows, and operational workflows.

Threat Actor Reputation

The attacker @888 is a known data broker responsible for several significant leaks in 2025, including a 248,000 record breach of CIEE. Their involvement increases the credibility and potential impact of the Conasems data breach, as @888 typically sells or distributes complete, high value datasets.

Impact Across All Municipal Health Departments

Conasems represents municipal secretariats across Brazil’s 5,500 municipalities. A breach at this level compromises contacts, administrators, and officials linked to the entire public health network.

Long Term Damage Due to Static Identifiers

Since CPF numbers are static identifiers, they can be exploited years after the initial breach. This means the Conasems data breach may continue producing fraudulent activity for an extended period.

Likely Attack Vector Behind the Conasems Data Breach

While the threat actor did not provide technical details, the Conasems data breach likely stems from one or more common vulnerabilities:

• Unpatched public facing applications used for municipal health coordination
• Weak authentication or absence of multi factor controls
• Compromised credentials acquired from previous Brazilian breaches
• Misconfigured databases storing sensitive PII
• Outdated or vulnerable CMS platforms used by government bodies
• Inadequate access control policies for municipal user accounts
• Insufficient monitoring and intrusion detection across distributed networks

Many public sector institutions in Brazil rely on legacy systems or budget constrained infrastructure, making them attractive targets for threat actors looking for high value PII datasets.

Impact of the Conasems Data Breach on Individuals

Individuals listed in the Conasems data breach are at immediate and long term risk due to exposure of CPF and other personal information. Potential consequences include:

• Fraudulent bank account or credit card creation
• Unauthorized loan applications
• Compromise of email or mobile phone accounts
• Government benefit theft or manipulation
• Harassment or extortion attempts via email
• Targeted phishing using accurate personal details
• Dark web resale of full identity data

Victims must act quickly to secure their identity information, monitor financial activity, and update security settings.

Impact of the Conasems Data Breach on Public Health Operations

The Conasems data breach may disrupt public health administration across Brazil. The exposure of administrative contacts, account details, and login identifiers can interfere with:

• Municipal health communication workflows
• Policy implementation coordination across states
• Authentication systems used for health administration
• Interdepartmental cooperation across SUS
• Public messaging platforms used by municipal health authorities
• Internal communication systems coordinating health initiatives

The breach also raises concerns about the integrity of government digital services and potential exploitation by cybercriminals looking to infiltrate municipal networks.

Regulatory and Legal Implications Under Brazil’s LGPD

The Conasems data breach must be evaluated under the Lei Geral de Proteção de Dados (LGPD), Brazil’s General Data Protection Law. LGPD requires public and private entities to:

• Implement appropriate technical and organizational measures
• Ensure secure handling of personal data
• Document data governance and processing activities
• Maintain transparency regarding data breaches
• Notify affected individuals and authorities when breaches occur

Given the sensitivity of CPF data, Conasems may face intense scrutiny from Brazil’s data protection authority, ANPD, as well as internal federal oversight bodies.

What Affected Individuals Should Do After the Conasems Data Breach

Individuals impacted by the Conasems data breach should take proactive steps to minimize risk:

• Monitor bank accounts and credit reports for unauthorized activity
• Enable multi factor authentication on email and financial accounts
• Be cautious of phishing emails referencing Conasems or health agencies
• Review phone accounts for suspicious SIM activity
• Record and report any fraudulent financial attempts
• Consider freezing credit with financial institutions

All users should also perform malware scans using trusted tools such as Malwarebytes to ensure attackers did not deploy malicious payloads through phishing campaigns.

What Conasems and Associated Entities Should Do After the Data Breach

To contain the Conasems data breach, the organization should:

• Launch a full forensic investigation
• Identify compromised systems and entry points
• Notify affected users and government stakeholders
• Implement strict access controls for sensitive data
• Enforce mandatory multi factor authentication
• Update or replace vulnerable systems
• Harden security around municipal health network platforms
• Enhance monitoring for suspicious login activity

Given the systemic nature of the issue, Conasems must coordinate closely with municipal secretariats across Brazil to strengthen data protection practices and prevent future breaches.

Steps Brazil’s Public Health Sector Should Take Moving Forward

The Conasems data breach highlights the urgent need for stronger cybersecurity across Brazil’s public health institutions. Immediate sector wide actions include:

• Conducting security audits of all public facing systems
• Applying all critical patches to government health platforms
• Improving cloud security configurations and encryption
• Enhancing authentication requirements across distributed networks
• Centralizing security oversight for regional health systems
• Improving disaster recovery plans for cyberattacks
• Providing expanded training for municipal and state health workers
• Monitoring dark web platforms for additional leaked data

The widespread exposure of CPF numbers and administrative health data requires long term monitoring and systemic reforms, as static identifiers cannot be revoked or replaced.

For verified coverage of major data breaches and the latest cybersecurity threats, visit Botcrawl for ongoing updates and expert analysis on global digital security events.