Prescription website leaves patient data exposed

The health startup Mevo had breaches that allowed the leakage of medical prescriptions from patients with personal data. At the end of last month, anyone could access prescriptions from patients who had used the platform.

Known as Idor, acronym for Insecure Direct Object Reference, the fault can be executed by changing the last numbers of the link to access some document.

Among the personal data of patients accessible in medical prescriptions, there were names, CPFs and addresses, in addition to the drugs used. Revenues included prescriptions from several hospitals and private practices, such as Hospital do Coração and Grupo NotreDame Intermédica, which recently merged with Hapvida. Psychiatric remedies were also included in the documents.

Mevo was founded in 2017 as Nexodata and changed its name to Mevo in 2022. The startup, which has attracted investors such as Jorge Paulo Lemann and Guilherme Benchimol, from XP, offers digital prescription and delivery of medicines to patients’ homes.

Sought, Mevo claimed that an internal system of the company was accessed without authorization, which generated an improper entry to six medical prescriptions. “The moment it was identified, the problem was immediately remedied, without prejudice to any partners, doctors and/or patients,” the company said, adding that it “follows the strictest cybersecurity protocols.”

Have you read all the notes and articles in the column today? Click here.

Follow the column on twitter and on Instagram so you don’t miss a thing.

About Jenni Smith

She's our PC girl, so anything is up to her. She is also responsible for the videos of Play Crazy Game, as well as giving a leg in the news.

Check Also

Why is it important to have a health plan before 30?

By offering continuous and perennial care, having a health plan early in adult life will …