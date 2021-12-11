Between August and October of this year, the Ministry of Health received 50,064 requests for correction of data registered in ConectaSUS, according to information from the folder itself obtained by the g1 through the Access to Information Law. Until this Friday, the application had about 190 million users — all registered in the Unified Health System (SUS).

Among these users, there are misspelled names; mistakes in parents’ names; information exchanged in the “gender” field; errors in the name and number of doses of the vaccine; cases of living people identified as dead; and native Brazilians with another nationality.

Failures in the registration of personal data on ConnectSUS affect the correct issuance of the National Certificate of Vaccination against Covid-19 to these users and may prevent the application of additional doses of the vaccine against Covid and access to medicines and treatment in the SUS. In addition, in several parts of the country, states and municipalities started to require proof of complete immunization against Covid for access to public services and a series of in-person activities.

According to experts (read more below), even before the hacker attack, the flaws in the records already indicated vulnerability of the SUS systems.

The Ministry of Health states that “legally authorized public agents” are responsible for accessing and altering user data.

In response to the g1 questioning, the ministry reported that there are 260,000 qualified operators — responsible for handling the data — linked to state, municipal and Federal District health secretariats. According to the folder, these bodies “have the power to take the appropriate measures with the operators”.

According to the ministry, it is not possible to inform the number of cases in which failures to fill in user records were corrected.

Even before the hacker attack on the ministry, experts warned that breaches in the folder’s systems would allow, in addition to data sequestration, changes without criteria in personal information.

In part of the cases, the register was deliberately tampered with, as informed by the ministry itself. According to the folder, these adulterations were committed by operators who, after an internal investigation, had access to the system blocked.

One of these cases is that of the national president of the PT, deputy Gleisi Hoffmann (PR). In June of this year, when presenting to take the first dose of the vaccine against Covid, the nurse at the health post informed, according to the deputy, that she was registered as “dead” in the medical record. In the field reserved for the name, he said, it was written “Bolsonaro”. According to the parliamentarian, personal data have already been corrected.

The leader of the Homeless Workers Movement (MTST), ex-candidate for the City of São Paulo Guilherme Boulos (PSOL), and the ex-deputy and ex-candidate for the Municipality of Porto Alegre Manuela D’Ávila (PCdoB) also spoke. adulteration targets in SUS records.

“[Os dados] they were altered by insults and gross cursing,” said Boulos. Manuela D’Ávila claimed to have been declared dead. The record had been corrected, but last Thursday (9), the former deputy said again, on social networks, that the vaccination card was changed again.

Microbiologist Atila Iamarino and YouTubers Felipe Neto, Felipe Castanhari and Nyvi Estephan also identified inconsistencies in the personal records of the SUS.

Iamarino said he was classified by an operator with a doctor’s credential in Porto Velho as “dead” and that in his record there were phrases with Nazi apology and offenses. According to he informed, the record was corrected on the last day 2. According to the ministry, the operator had access to the system blocked, but the folder did not clarify whether he suffered any sanctions.

According to the ordinance that established ConnectSUS, access to data is subject to the General Law for the Protection of Personal Data (LGPD), which has as some of its foundations the respect for privacy, informative self-determination and the inviolability of intimacy, honor and of image.

In the application, users can consult an information note that reinforces the confidentiality and inviolable criteria of the data: “Unauthorized access and misuse by RNDS users [Rede Nacional de Dados em Saúde] are subject to penalties provided for in the legislation”.

Since August, improper use and manipulation of data can be punished based on the LGPD. The application of sanctions, which can reach R$ 50 million, is the responsibility of the National Data Protection Authority (ANPD).

Public bodies, according to the agency, may suffer “warning, publicizing the infringement, blocking or deleting data, partial, total suspension or total prohibition of the bank’s operation or processing activity”.

ConnectSUS application is hacked and fails to show data on vaccination

Experts point out risks

Fabro Steibel, executive director of ITS (Institute of Technology and Society) and member of the National Council for the Protection of Personal Data and Privacy, argues that the thousands of errors and reports of data tampering characterize “serious information security problems” in the applications offered by the Ministry of Health.

According to him, external audits should be carried out to ensure that the system meets the criteria of the personal data protection legislation.

“Things this important have to be audited on the outside. We have to see who has access to this base because the bases are connected. Monitor these partners from the ecosystem database”, he adds.

In the assessment of Danilo Doneda, lawyer and professor at the Instituto Brasiliense de Direito Público (IDP), the conduct adopted by accredited persons may be subject to “due administrative punishment”, as provided for in the informative standard located on ConectaSUS. For him, the ministry should commit to disclose, with transparency, the cases.

“A person who has a credential to modify data in the system is not allowed to do so as he pleases. The moment he uses it for manipulation – be it political or whatever – he will harm people, carrying out an illicit processing of personal data”, he adds.

The repeated accusations of changes in data in the systems prove, according to Doneda, that there is a controversial behavior by the operators, supported by a “system failure” that allows data to be changed without many barriers. All can be submitted to the current criteria of the LGPD.

In addition to requesting correction of the data from the Ministry of Health, Danilo Doneda suggests that people whose data have been illegally altered resort to ANPD for registration and formal investigation of the complaint.

Ministry says adopt measures

In a note sent to g1, the Ministry of Health clarifies that it has adopted measures “when undue changes are identified in the registers of public persons”. However, cases are reported “to the competent authorities” only “when necessary”.

The guidance for people who are not considered public is that they seek the folder’s ombudsman, through number 136.