A ransomware attack by the hacker group KillSec disrupted MedicSolution, a critical software provider for Brazil’s healthcare sector. The attackers exfiltrated over 34 GB of sensitive data (94,818 files), including medical evaluations, lab results, X-rays, unredacted patient photos (including minors), and records from multiple institutions such as Vita Exame, Clinica Especo Vida, and Laboratório Alvaro. The breach stemmed from misconfigured AWS cloud buckets, exposing data without complex hacking. KillSec threatened to leak the stolen data unless ransom negotiations began, risking extortion, reputational damage, and operational disruptions across dependent healthcare providers. The incident underscores persistent vulnerabilities in cloud security and incident response within the sector, with MedicSolution failing to issue a public statement despite regulatory obligations under Brazil’s LGPD (Lei Geral de Proteção de Dados), which mandates breach reporting within three business days. The attack is part of KillSec’s broader campaign targeting Latin American healthcare, with prior victims including Archer Health (US), Suiza Lab (Peru), and Doctocliq (Peru), amplifying concerns over systemic cybersecurity gaps in regional healthcare infrastructure.
Source: https://www.infosecurity-magazine.com/news/killsec-ransomware-hits-brazilian/
TPRM report: https://www.rankiteo.com/company/medic-solution
"id": "med1492214091025",
"linkid": "medic-solution",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'healthcare IT',
'location': 'Brazil',
'name': 'MedicSolution',
'type': 'software provider'},
{'industry': 'medical diagnostics',
'location': 'Brazil',
'name': 'Vita Exame',
'type': 'healthcare provider'},
{'industry': 'medical clinic',
'location': 'Brazil',
'name': 'Clinica Especo Vida',
'type': 'healthcare provider'},
{'industry': 'diagnostic center',
'location': 'Brazil',
'name': 'Centro Diagnostico Toledo',
'type': 'healthcare provider'},
{'industry': 'laboratory services',
'location': 'Brazil',
'name': 'Labclinic',
'type': 'healthcare provider'},
{'industry': 'laboratory services',
'location': 'Brazil',
'name': 'Laboratório Alvaro',
'type': 'healthcare provider'}],
'attack_vector': ['misconfigured AWS cloud buckets', 'exposed data storage'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['medical evaluations',
'lab results',
'X-ray images',
'patient photos',
'PDFs/JPEGs (likely)'],
'number_of_records_exposed': 94818,
'personally_identifiable_information': True,
'sensitivity_of_data': ['high (health data classified as '
'sensitive under LGPD)'],
'type_of_data_compromised': ['medical records',
'PII',
'sensitive health data',
'minor records',
'unredacted images']},
'date_detected': '2025-09-08',
'date_publicly_disclosed': '2025-09-08',
'description': 'A ransomware attack claimed by the group KillSec disrupted '
'MedicSolution, a software provider serving Brazil’s '
'healthcare sector. The hackers threatened to leak over 34 GB '
'of stolen data (94,818 files), including medical evaluations, '
'lab results, X-rays, unredacted patient photos, and records '
'related to minors, unless negotiations were initiated. The '
'breach was facilitated by misconfigured AWS cloud buckets, '
'exposing data from multiple healthcare institutions. '
'MedicSolution has not issued a public response despite '
'investigator outreach. The incident is part of KillSec’s '
'broader campaign targeting Latin American healthcare '
'providers, violating Brazil’s LGPD regulations.',
'impact': {'brand_reputation_impact': ['severe damage due to sensitive data '
'exposure',
'loss of trust in healthcare software '
'provider'],
'data_compromised': ['medical evaluations',
'lab results',
'X-rays',
'unredacted patient photos (including body '
'images)',
'records related to minors'],
'identity_theft_risk': ['high (due to PII and medical data '
'exposure)'],
'legal_liabilities': ['potential LGPD violations',
'regulatory fines by ANPD'],
'operational_impact': ['disruption of healthcare services',
'potential extortion of providers/patients',
'supply chain disruption'],
'systems_affected': ['AWS cloud storage',
'MedicSolution software platform']},
'initial_access_broker': {'data_sold_on_dark_web': ['likely (based on '
'KillSec’s prior '
'behavior)'],
'entry_point': 'misconfigured AWS cloud buckets',
'high_value_targets': ['healthcare providers',
'patient records',
'minor data']},
'investigation_status': 'ongoing (Resecurity investigation; no public '
'response from MedicSolution)',
'lessons_learned': ['Misconfigured cloud storage remains a critical '
'vulnerability in healthcare.',
'Supply chain attacks amplify impact across multiple '
'entities.',
'LGPD compliance requires proactive monitoring and rapid '
'breach disclosure.',
'Third-party software providers are high-value targets '
'for cybercriminals.'],
'motivation': ['financial extortion',
'data theft for dark web sale',
'disruption of healthcare operations'],
'post_incident_analysis': {'root_causes': ['Misconfigured AWS cloud storage '
'(lack of access controls).',
'Inadequate monitoring of '
'sensitive data repositories.',
'Failure to comply with LGPD '
'breach notification timelines.',
'Supply chain vulnerability '
'exploitation.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement strict access controls for cloud storage '
'(e.g., AWS S3 buckets).',
'Conduct regular security audits for third-party vendors '
'in the supply chain.',
'Enhance incident response plans to include rapid public '
'disclosure.',
'Adopt encryption for sensitive health data at rest and '
'in transit.',
'Train employees on securing cloud configurations and '
'detecting exposures.'],
'references': [{'date_accessed': '2025-09-08',
'source': 'Resecurity Advisory'},
{'source': 'Healthcare Sector Takes 58 Days to Resolve Serious '
'Vulnerabilities'}],
'regulatory_compliance': {'legal_actions': ['potential ANPD investigation'],
'regulations_violated': ['Lei Geral de Proteção de '
'Dados (LGPD)'],
'regulatory_notifications': ['mandatory breach '
'reporting within 3 '
'business days (not '
'complied with)']},
'response': {'communication_strategy': ['no public response from '
'MedicSolution'],
'third_party_assistance': ['Resecurity (investigation)']},
'threat_actor': 'KillSec',
'title': 'Ransomware Attack on MedicSolution by KillSec Disrupts Brazil’s '
'Healthcare Sector',
'type': ['ransomware', 'data breach', 'supply chain attack'],
'vulnerability_exploited': ['improper cloud storage configuration',
'lack of access controls']}