The health startup Mevo had breaches that allowed the leakage of medical prescriptions from patients with personal data. At the end of last month, anyone could access prescriptions from patients who had used the platform.
Known as Idor, acronym for Insecure Direct Object Reference, the fault can be executed by changing the last numbers of the link to access some document.
Among the personal data of patients accessible in medical prescriptions, there were names, CPFs and addresses, in addition to the drugs used. Revenues included prescriptions from several hospitals and private practices, such as Hospital do Coração and Grupo NotreDame Intermédica, which recently merged with Hapvida. Psychiatric remedies were also included in the documents.
Mevo was founded in 2017 as Nexodata and changed its name to Mevo in 2022. The startup, which has attracted investors such as Jorge Paulo Lemann and Guilherme Benchimol, from XP, offers digital prescription and delivery of medicines to patients’ homes.
Sought, Mevo claimed that an internal system of the company was accessed without authorization, which generated an improper entry to six medical prescriptions. “The moment it was identified, the problem was immediately remedied, without prejudice to any partners, doctors and/or patients,” the company said, adding that it “follows the strictest cybersecurity protocols.”