KillSec Ransomware Hits Brazilian Healthcare IT Vendor
On September 8, 2025, a devastating ransomware attack claimed by the group KillSec has struck MedicSolution, a software provider serving Brazil's healthcare sector, sending shockwaves through the industry.
The hackers threatened to leak stolen data unless negotiations were initiated, sparking widespread concern among medical providers and patients. According to a new advisory by Resecurity, the breach could affect a wide range of medical providers and patients, given MedicSolution's central role in the healthcare supply chain.
Supply Chain Breach and Data Exposure
By targeting a software vendor instead of a single clinic, the attackers expanded their reach dramatically. Resecurity stated that the group obtained more than 34 GB of data comprising 94,818 files, including:
- Unredacted patient photos, including body images
- Stolen data from institutions such as Vita Exame, Clinica Especo Vida, Centro Diagnostico Toledo, Labclinic and Laboratório Alvaro.
The stolen files appear to involve sensitive information that can be used for extortion, causing harm to both providers and patients. Resecurity warned that the data was not taken through a complex hack but was left exposed in misconfigured AWS cloud buckets.
A Persistent Threat
Despite outreach from investigators, MedicSolution has not issued a public response. The attack is part of a broader campaign in Latin America and beyond, with KillSec having claimed responsibility for breaches at Archer Health in the US, Suiza Lab in Peru, and Colombian providers GoTelemedicina and eMedicoERP.
One month earlier, the group leaked data from Doctocliq, a Peruvian platform serving more than 3500 doctors in 20 countries. This incident highlights the ongoing vulnerability of healthcare organizations in Brazil to cybercrime.
Gaps in Incident Response and Monitoring
The attack exposes persistent gaps in incident response and monitoring across the sector. The Lei Geral de Proteção de Dados (LGPD) classifies health data as sensitive and requires strong safeguards, explicit consent, and breach reporting within three business days.
Healthcare organizations in Brazil are bound by these regulations, but the Autoridade Nacional de Proteção de Dados (ANPD) has issued fines totaling over BRL 98 million ($20m USD) across all sectors since 2023, with healthcare among the hardest hit.
A Broader Campaign
Resecurity warned that KillSec may still be preparing further disclosures in Brazil, underlining the sector's ongoing vulnerability to cybercrime. The attack serves as a stark reminder of the need for robust incident response and monitoring measures to prevent similar breaches in the future.
A Call to Action
The attack on MedicSolution highlights the urgent need for healthcare organizations in Brazil to prioritize cybersecurity and compliance with regulations such as LGPD. By taking proactive steps to strengthen their defenses, these organizations can protect sensitive patient data and prevent devastating attacks like this one.