HealthcareData LeakageChatbotCatastrophic

Brazilian firm allegedly used AI to illegally resell SUS patient data

In February 2026, the Brazilian Federal Police launched Operation Glycon to dismantle a business structure illegally commercializing sensitive health data from the Unified Health System (SUS). The company allegedly used an AI-powered tool designed for health professionals to gain unauthorized access to clinical records.

Unnamed company (investigated in Operation Glycon) · Incident Feb 4, 2026 · Indexed Jun 5, 2026 · 2 sources

The system allowed unauthorized access to confidential clinical information of patients through queries using identifying data.

Key facts

What
In February 2026, the Brazilian Federal Police launched Operation Glycon to dismantle a business structure illegally commercializing sensitive health data from the Unified Health System (SUS).
Incident date
Feb 4, 2026
Who
Unnamed company (investigated in Operation Glycon)
Failure mode
Data Leakage
AI surface
Chatbot
Severity
Catastrophic

What happened

On February 4, 2026, the Brazilian Federal Police executed Operation Glycon against a company suspected of illegally accessing and selling sensitive patient data from the Unified Health System (SUS). The investigation was triggered after the Ministry of Health's DATASUS reported a cyber security incident involving an AI-based tool marketed by the company under investigation. Federal authorities issued search and seizure warrants and ordered the immediate suspension of the company's domains and APIs.

What broke inside the model

Failure path · mode profile · Data Leakage
  1. 01 · TriggerA request triggers retrieval or context loading.
  2. 02 · Model stepThe context pulls in another user's content.
  3. 03 · Control gapNo boundary enforces isolation at the moment of output.
  4. 04 · FailurePrivate data crosses into the response.
  5. 05 · ConsequenceOne user sees another's data, and disclosure follows.

One user's content crosses the retrieval boundary into another's response.

The failure occurred due to weaknesses in access control and authentication; the system allowed unauthorized queries using identifying data to retrieve patient information, bypassing protections meant to safeguard privacy.

What it cost

Public visibilityHigh
Regulatory exposureActive
Customer impactFew customers
Financial impactUnknown
Time to disclosureHours

Sources

  1. PrimaryPF deflagra Operação Glycon contra comercialização ilegal de dados sensíveis de pacientes do SUSgov.br
  2. PressEmpresa alvo de operação usou IA para vender dados de pacientes do SUSmetropoles.com

Cite this entry

Permalinkhttps://failureindex.ai/failures/brazilian-allegedly-used-illegally-resell-sus
CitationAI Failure Index. "Brazilian firm allegedly used AI to illegally resell SUS patient data" (FI-0262). Realm Labs. https://failureindex.ai/failures/brazilian-allegedly-used-illegally-resell-sus (indexed Jun 5, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0262. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard
  • AI Detection & Response (AIDR)

Realm can detect when a response is about to emit data that falls outside the bounds of the current user and context, and block or redact it inline, at the moment of generation rather than after the data has left.

Book a Demo

Related failures

Other records that share this failure mode (Data Leakage) or industry (Healthcare).

FI-0592HealthcareMedium
Hallucination

The Doc App counsel files fabricated case law in Florida court

A lawyer representing The Doc App, Inc. used AI to generate court filings that included fake case law. The court flagged the hallucinations and previously sanctioned the attorney, though it declined further sanctions in June 2026.

Confidence
High (multi-source, primary)
The Doc App, Inc.2 sourcesCourt FilingPublicJun 2026
FI-0575HealthcareHigh
Brand & Safety Incident

Social Health Authority AI premiums overcharge poorest Kenyans

Kenya's Social Health Authority deployed an AI-driven predictive model to set health insurance premiums based on income. An investigation found the system systematically overcharged the poorest citizens, effectively denying them access to healthcare.

Confidence
Medium (multi-source)
Social Health Authority3 sourcesPressPublicMay 2026
FI-0482HealthcareHigh
Policy Violation

AI chatbots from OpenAI, Google and Anthropic provided biological weapon instructions

Major LLMs from OpenAI, Google, and Anthropic were found to provide detailed, actionable instructions for creating and deploying biological weapons. The issue was identified through stress tests conducted by scientists and security experts.

Confidence
High (multi-source, primary)
OpenAI, Google, Anthropic3 sourcesPrimaryPublicApr 2026