SNS data breach triggers hundreds of complaints to Portuguese data protection authority

Over 100,000 SNS patients had their personal health data exposed and accessed without authorization, affecting individuals and their children.
Someone had accessed their medical records without permission
Over 100,000 SNS patients received notifications on May 21st that their health data had been breached.

No dia 21 de maio, utilizadores do SNS24 começaram a receber notificações de que os seus registos médicos tinham sido acedidos sem autorização — o resultado de um ataque informático que comprometeu as credenciais de um médico e abriu caminho a mais de cem mil processos clínicos. Portugal confronta-se agora com uma das maiores violações de dados de saúde da sua história recente, num momento em que sistemas de saúde em todo o mundo se tornam alvos crescentes de criminalidade digital. O incidente levanta questões que transcendem a segurança informática: até que ponto estão os cidadãos protegidos quando confiam ao Estado a custódia das suas informações mais íntimas?

  • Mais de 100 000 utentes do SNS receberam notificações a informar que os seus dados clínicos — diagnósticos, prescrições, histórico de tratamentos — tinham sido acedidos por terceiros não autorizados.
  • Os atacantes não exploraram uma falha técnica sofisticada: usaram credenciais legítimas de um médico para entrar no sistema como se fossem utilizadores autorizados, revelando uma vulnerabilidade estrutural nos controlos de acesso.
  • A CNPD recebeu 'centenas e centenas' de queixas formais em poucas horas, enquanto a Polícia Judiciária e o Ministério Público abriram investigações paralelas, sinalizando que o caso pode ter consequências criminais.
  • A Associação Cidadãos pela Cibersegurança distribuiu modelos gratuitos de queixa-crime para facilitar o acesso à justiça, antecipando que o volume de participações continuará a crescer.
  • O incidente expõe uma falha sistémica: credenciais comprometidas de um único utilizador foram suficientes para aceder a registos em massa, sugerindo ausência de controlos de acesso granulares ou de deteção atempada de anomalias.

Na manhã de 21 de maio, milhares de portugueses abriram o telemóvel e encontraram uma notificação do portal SNS24 com uma mensagem perturbadora: alguém tinha acedido aos seus registos médicos sem permissão. O ataque informático que originou esse momento tinha comprometido as credenciais de um médico e, através delas, os intrusos percorreram o sistema de saúde pública como se fossem utilizadores legítimos. Quando a dimensão da violação se tornou conhecida, mais de 100 000 processos clínicos tinham sido expostos.

A resposta institucional foi imediata e múltipla. A Comissão Nacional de Protecção de Dados começou a receber queixas formais nas primeiras horas após as notificações, acumulando rapidamente centenas de participações de doentes e pais cujos filhos também tinham sido afetados. A CNPD abriu inquérito formal; a Polícia Judiciária iniciou investigação criminal; o Ministério Público entrou em cena, sinalizando que o Estado tratava o caso como potencial crime e não como mero incidente administrativo.

O que tornava o ataque particularmente inquietante era a sua simplicidade. Não houve exploração de vulnerabilidades exóticas nem sofisticação técnica extraordinária — os atacantes limitaram-se a usar credenciais roubadas para entrar pela porta da frente. Esse detalhe apontava para falhas nos mecanismos de autenticação, na deteção de acessos anómalos ou na capacidade de revogar credenciais comprometidas em tempo útil.

Para os afetados, a violação não era apenas um dado estatístico. Era a incerteza sobre quem tinha visto o quê, o risco de exploração de informação médica sensível e, para alguns, a descoberta de que os dados de saúde dos seus filhos também tinham sido acedidos. A Associação Cidadãos pela Cibersegurança procurou reduzir as barreiras à ação legal, disponibilizando gratuitamente modelos de queixa-crime para quem não soubesse como proceder.

Enquanto as investigações prosseguiam em junho, a questão central para as autoridades de saúde portuguesas deixou de ser apenas como responder a esta crise — passou a ser como garantir que a próxima não acontece.

On May 21st, thousands of Portuguese health service users began receiving notifications from the SNS24 portal with the same unsettling message: someone had accessed their medical records without permission. The intruders had used stolen credentials belonging to a doctor—credentials that had been compromised in a cyberattack targeting the Serviço Nacional de Saúde, Portugal's public health system. By the time the breach became public knowledge, more than 100,000 patient records had been exposed to unauthorized access.

The scale of the incident became apparent almost immediately. The Comissão Nacional de Protecção de Dados, Portugal's data protection authority, began fielding complaints within hours of the first notifications going out. What started as a trickle quickly became a flood. The CNPD reported receiving "hundreds upon hundreds" of formal complaints from affected patients and parents whose children's health information had been compromised. Each notification represented not just a data point in a spreadsheet, but a person discovering that their most sensitive medical information—diagnoses, prescriptions, treatment histories—had been accessed by criminals.

The breach set multiple investigations in motion simultaneously. The CNPD opened its own formal inquiry into the incident, beginning the process of determining how the attack occurred, what safeguards failed, and what remedies might be available to those affected. At the same time, the Polícia Judiciária, Portugal's criminal investigation police, launched their own probe. The Public Ministry also initiated proceedings, signaling that prosecutors were treating the matter as a potential criminal offense rather than a mere administrative failure.

What made the breach particularly troubling was the method of attack. The hackers had not broken through some exotic zero-day vulnerability or exploited a cutting-edge software flaw. Instead, they had obtained legitimate doctor credentials and used them to walk through the front door. This suggested either a targeted theft of login information, a phishing campaign, or a compromise of the authentication system itself—each scenario pointing to different vulnerabilities in how the health system protected access to patient data.

The Associação Cidadãos pela Cibersegurança, a Portuguese cybersecurity advocacy organization, recognized that many affected patients might not know how to formally report the breach to authorities. The group responded by creating and distributing free templates that patients could use to file criminal complaints, removing one barrier to legal action. The decision to provide these templates suggested that the organization expected the complaints to continue accumulating and that formal legal proceedings would likely follow.

For the patients themselves, the breach meant more than just the abstract knowledge that their data had been exposed. It meant uncertainty about what information had been accessed, who had seen it, and what might happen next. It meant the possibility of identity theft, the risk of their medical histories being sold or exploited, and the violation of what should be one of the most protected categories of personal information. Some had their own records compromised; others discovered that their children's health data had been accessed—adding a layer of parental concern to the personal violation.

The incident exposed a critical weakness in Portugal's healthcare infrastructure at a moment when cyberattacks on hospitals and health systems were becoming increasingly common globally. The fact that attackers could gain access to over 100,000 patient records using a single compromised set of credentials suggested that the SNS lacked adequate controls to limit what any individual user could access, or that the system had failed to detect and revoke credentials quickly enough once they were known to be compromised. As investigations continued through June, the question facing Portuguese health authorities was not just how to respond to this breach, but how to prevent the next one.

The CNPD reported receiving hundreds upon hundreds of formal complaints from affected patients and parents
— Comissão Nacional de Protecção de Dados (CNPD)
The Hearth Conversation Another angle on the story
Inventor

Why did it take until May 21st for patients to find out? Didn't the health system detect the breach earlier?

Model

The notifications went out on May 21st because that's when the SNS24 portal alerted users to unauthorized access. Whether the system detected it before then, or whether the attackers had been inside for weeks undetected, the source doesn't say. That's one of the things the investigations will need to answer.

Inventor

So the hackers just used a doctor's login credentials. That seems almost too simple.

Model

It does, but that's often how these things work. A doctor's username and password are worth a lot—they open doors that regular user accounts can't. The real question is whether the system was checking what that doctor was actually doing. If one person's credentials can unlock 100,000 patient records, something is wrong with how access is controlled.

Inventor

What happens to the people whose data was stolen? Can they sue?

Model

That's what the cybersecurity group's free complaint templates are for. They're helping people file criminal complaints, which is the first step. Whether that leads to civil lawsuits, compensation, or just criminal prosecution of the attackers—that depends on what the investigations find and what Portuguese law allows.

Inventor

Is this the first time the SNS has been hit like this?

Model

The source doesn't say. But the fact that a cybersecurity advocacy group immediately stepped in with templates suggests they've seen this pattern before, or they expect it to happen again. That's telling.

Inventor

What's the worst-case scenario for a patient?

Model

Their medical history is now in the hands of criminals who might sell it, use it for blackmail, or commit identity theft. And there's no way to know if that's already happening or will happen tomorrow. That uncertainty is part of the harm.

Contact Us FAQ