São Paulo, September 10, 2025 — Brazil’s healthcare sector is reeling after a major cyberattack on MedicSolution, a software provider for clinics and medical institutions, was claimed by the ransomware group KillSec.
The attack, disclosed on September 8, threatens to expose more than 34 gigabytes of patient data unless negotiations are initiated with the hackers.
MedicSolution develops cloud-based platforms used by doctors and clinics to manage appointments, electronic records, and patient data. By striking a trusted IT vendor, KillSec has compromised multiple downstream healthcare organizations at once, magnifying the impact of the breach.
According to U.S based cybersecurity firm Resecurity, the stolen files include highly sensitive information from institutions such as Vita Exame, Clinica Especo Vida, Centro Diagnostico Toledo, Labclinic, and Laboratório Alvaro.
The attackers exfiltrated at least 94,818 files containing medical evaluations, lab results, X-rays, unredacted patient photographs, and records involving minors.
Investigators from Resecurity said several affected patients contacted during their research were unaware their private information had been stolen. “By compromising a supply chain vendor, the attackers quadrupled their impact compared to hitting an individual target,” Resecurity noted in its analysis.
Read Full Report: KillSec Ransomware is Attacking Healthcare Institutions in Brazil
This incident is part of a wider campaign targeting healthcare institutions across Latin America and the United States. In early September, KillSec claimed breaches of Archer Health in the U.S., Suiza Lab in Peru, GoTelemedicina in Colombia, and eMedicoERP in Colombia.
Only weeks earlier, the group leaked data from Doctocliq, a Peruvian software platform serving more than 3,500 doctors across 20 countries. KillSec has previously targeted Brazil by publishing identifiers, banking data, and government-linked information, but this appears to be its most damaging attack in the country to date.
Resecurity’s investigation traced the stolen files to exposed AWS S3 cloud storage buckets. The hackers exploited these misconfigured repositories, which were left vulnerable to remote access, without having to breach MedicSolution’s internal systems directly.
“KillSec is adept at exploiting low-hanging fruit to maximize results. In this case, they were able to steal sensitive data without actual hacking or network penetration,” Resecurity explained.
The firm has notified CERT.br, Brazil’s national computer emergency response team, as well as the Autoridade Nacional de Proteção de Dados (ANPD), the regulator enforcing the Lei Geral de Proteção de Dados (LGPD). The LGPD classifies medical records as sensitive personal data subject to heightened protections, and organizations are required to report breaches to both the ANPD and affected individuals within three business days. Failure to comply can result in significant fines and operational sanctions.
The attack has intensified concerns about the vulnerability of Brazil’s healthcare supply chain. Healthcare organizations are prime targets for cybercriminals because they hold vast volumes of personal data, from identification and insurance details to medical histories and payment information.
These records are highly prized on the black market, where they can be sold to fraudsters or used to blackmail victims.
Brazil has already witnessed the consequences of weak defenses in this sector. In 2021, a São Paulo hospital was ordered to pay between R$5,000 and R$20,000 per patient after a ransomware attack.
In 2022, a major insurer was forced to pay collective moral damages and submit to a compliance program monitored by regulators. In 2023, a breach of the public health system led to a court order for stronger security protocols and compensation through public health initiatives. The ANPD fined 15 healthcare institutions BRL 12 million in 2024 for lacking encryption and breach response plans.
KillSec’s latest campaign also reflects a growing regional and global trend. Healthcare systems in Colombia, Peru, and the U.S. were targeted within days of the Brazil incident, and the group has claimed victims in unrelated sectors, from the Royal Saudi Air Force to corporate staffing and senior care platforms.
Resecurity believes KillSec is deliberately focusing on healthcare vendors because of their ability to affect thousands of patients and institutions simultaneously.
“The healthcare industry worldwide is facing more significant cyber threats than nearly any other sector,” Resecurity said. “Unless organizations strengthen cybersecurity audits and supply chain defenses, we will see more hack-and-leak operations aimed at extorting both providers and patients.”
The company has announced that it will offer grants to Brazilian healthcare providers unable to afford advanced cyber threat intelligence services, in an effort to prevent further incidents. These grants, in some cases covering the full cost of monitoring services, are intended to help organizations with limited budgets enhance their defenses against ransomware groups.
The MedicSolution case highlights the urgency of improved cyber resilience in Brazil’s healthcare sector. As medical practices increasingly rely on electronic records, connected devices, and cloud services, their attack surface has expanded dramatically. Yet many organizations continue to operate with legacy infrastructure and limited cybersecurity resources. Unless systemic vulnerabilities are addressed, experts warn, attacks like the one carried out by KillSec could become the new norm.