Health-ISAC has issued a stark warning over escalating cyberattacks on Brazil’s health sector, urging immediate improvements in information sharing to bolster defenses. The report highlights how limited intelligence exchange is leaving patient data and critical infrastructure increasingly vulnerable. It underscores Health-ISAC’s focus on strengthening global patient care resilience, with members in more than 140 countries sharing actionable threat intelligence to help vulnerable regions confront fast-evolving, often underreported cyber risks.
The ‘Brazilian Critical Infrastructure Threat Landscape and Implications for Healthcare Organizations’ is the latest in Health-ISAC’s monthly series examining how geopolitical forces shape health sector security. It details how fragmented care delivery, growing data centralization, and the combined pressure of cybercriminal and state-backed actors are straining Brazil’s healthcare infrastructure.
“From ransomware gangs crippling hospital operations to state-sponsored actors targeting sensitive medical data, health organizations in Brazil are under pressure from every direction,” said Errol Weiss, chief security officer at Health-ISAC. “This report offers tailored guidance to help health sector entities understand and respond to these risks.”
Diego Mariano, security lead at Hospital Israelita Albert Einstein, added: “The cybersecurity landscape remains fragmented, with growing threats outpacing regional preparedness – vigilance and collaboration are no longer optional, but critical. These reports bring much-needed clarity and context to Brazilian healthcare organizations that don’t always have access to these insights.”
“Empowering institutions worldwide with intelligence and situational awareness is vital to protecting their people and infrastructure so that they can ensure patients get the care they need,” said Denise Anderson, president and CEO of Health-ISAC. “By building stronger information-sharing connections across borders, we can help health systems everywhere become more resilient.”
To address these critical issues further, Health-ISAC invites health security leaders in Latin America to a workshop in Morumbi, São Paulo, on Sept. 9th, hosted at Hospital Israelita Albert Einstein. The workshop will provide a unique platform to learn about threats and best practices, collaborate with peers, and build essential relationships to foster collective resilience against Brazil’s evolving threat landscape. Those interested in participating can register online.
The report highlighted that fragmented care between rural and urban clinical environments has heightened risks of violence toward health sector employees. Brazil’s centralized healthcare access depends on large data stores, which have become frequent targets for threat actors. Nation-state groups and financially motivated criminals pose espionage, data breach, and extortion risks, with Brazilian critical infrastructure organizations facing a broad spectrum of threats that include sophisticated state-sponsored campaigns as well as an increase in nonstate cybercriminal and hacktivist activity. These actors drive significant monetary and operational risks, particularly for healthcare entities.
In addition, petty criminals and organized groups occasionally threaten the continuity of critical services. Copper cable thefts remain widespread, sometimes triggering blackouts or disrupting traffic light systems, while organized criminal groups have damaged or obstructed maintenance of water stations and telecommunication antennas in low-income areas under their control. Such actions create operational challenges for healthcare service providers operating in these regions.
The report also warned that protest activity and labor action are likely to escalate ahead of Brazil’s 2026 elections. The country’s polarized political and social climate is expected to fuel recurring demonstrations and strikes over the next 18 months, raising the potential for sporadic violent or disruptive incidents.
While terrorism risks remain low, isolated plots continue to surface. Brazil has not experienced terrorist incidents in recent decades, but police have thwarted several plots in recent years, underscoring the underlying threat of religiously or politically motivated attacks.
The report further highlights that increasingly frequent extreme weather events pose a growing danger to transportation and utilities. Severe droughts threaten hydroelectric power generation and water transportation, while heavy rains can trigger flash floods and landslides, causing widespread damage to urban and road infrastructure.
The Health-ISAC report disclosed that beyond foreign state-sponsored actors, non-state cybercriminals and hacktivists have also become a more pronounced threat in Brazil in recent years, with the former posing significant financial and operational risks for vulnerable organizations, including critical infrastructure entities, while the latter still primarily conduct low-sophistication and short-lived cyber campaigns.
“Beyond foreign state-linked threats, cybercriminals are likely a more relevant threat as Brazil’s weak enforcement action against illicit digital groups has resulted in the rise of a variety of domestic cybercriminal syndicates that regularly target domestic and international entities alike based on the opportunistic likelihood of receiving a financial payout,” it added. “While Brazil has become particularly notorious for a broad range of homegrown banking trojans, which primarily affect financial account holders, cybercriminals have also pursued more sophisticated ransomware attacks that have impacted private and public sector entities alike (including repeated hacks against Brazilian government ministries), as these groups seek out organizations across industries that have weak cybersecurity defenses and present an opportunity for extortion.”
Furthermore, financially motivated threat actors are often more enticed to target sectors that have a higher impetus to avoid operational disruptions, which is what makes the healthcare sector attractive because patients may need critical and immediate life-saving services.
“Brazil has also witnessed an influx of hacktivism as independent politically-motivated groups have become more pronounced in the wake of foreign crises ranging from the Russian-Ukrainian war to the Israel-Hamas war,” according to the report. “While Brazil has not been directly impacted by these crises, Brazilian organizations have occasionally been caught in the crosshairs of hacktivist activity, although these groups typically rely on low-level tactics like distributed-denial-of-service (DDoS) and website defacement campaigns. A more localized hacktivist risk stems from the environmentally-motivated Latin American group Guacamaya, but it primarily targets extractive industry companies like miners and oil and gas firms.”
The Health-ISAC report observed that in Brazil, access to healthcare is a constitutional right. To make sure citizens exercise this right, the Brazilian government operates a national healthcare service model, the Unified Health System (SUS), where access to care can be centralized. These large, centralized data stores have become a target for threat actors in the Brazilian health sector threat environment. Database security is likely to be a frontline security issue for Brazilian health sector entities. Data breaches that include patient PHI (protected health information) can represent significant reputational damage for the individual care-providing organizations and its parent companies providing services in Brazil and abroad.
Health-ISAC recommends several measures to reduce the risk of data breaches. Organizations should audit user permissions to ensure employees only have the access necessary for their role, avoiding privilege creep. This limits the damage a threat actor could inflict if a low-privileged account is compromised. Data should be stored in encrypted form to reduce exposure in the event of exfiltration, making the stolen information far more difficult to operationalize and lessening potential reputational damage.
In addition, input validation measures should be implemented on public-facing data portals to reduce the risk of SQL injection attacks, lowering the likelihood of data exfiltration or tampering.
In June, Health-ISAC reported a persistent wave of cybersecurity incidents and data breaches affecting healthcare organizations over the past year, as detailed in its First Quarter 2025 Heartbeat. While ransomware activity dipped slightly in the third quarter of 2024, it rebounded in the fourth quarter and continued climbing into early 2025. Vulnerabilities in VPN providers and the use of compromised credentials remained consistent threats to the sector.
During this period, Health-ISAC issued 220 targeted alerts to member organizations with potentially vulnerable infrastructure, enabling security teams to address actively exploited flaws before they could be leveraged in attacks.
Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.
