Portugal's criminal investigation police (PJ) has confirmed that a cyberattack against the national health service (SNS) compromised the personal data of more than 100,000 patients, with investigators acknowledging that perpetrators likely leveraged artificial intelligence to accelerate the exfiltration. The intrusion was carried out through a doctor's compromised credentials and impacted patients across mainland Portugal as well as the Azores and Madeira islands.
What Happened
According to José Ribeiro, head of Portugal's national cybercrime and technology unit (UNC3T), unauthorised actors abused legitimate physician credentials to query and extract patient records from SNS systems over a span of just a few days. Ribeiro stated that the threat actors gathered a "large volume" of data in a timeframe that "just a few months ago would take three months" to obtain, an acceleration the PJ attributes to the suspected use of AI tooling to automate record retrieval at scale. The investigation remains in the data collection phase; no suspects have been identified, and authorities have not ruled out any motive. The doctor whose credentials were abused is being treated as the author of the activity for investigative purposes, although the broader operator behind the intrusion remains unknown.
What Was Taken
The PJ confirmed that records belonging to over 100,000 SNS patients were accessed and exfiltrated. Victims are distributed nationwide, including the autonomous regions of the Azores and Madeira. Authorities walked back initial indications that the theft was heavily focused on children and minors, but they have not publicly enumerated the exact record fields exposed. Given the nature of SNS patient files, the dataset is expected to include identifying information, clinical history, and other sensitive health data. Ribeiro noted that personal data of this type "is of great value," and investigators are weighing both "malicious objectives" and "commercial objectives" such as resale for advertising or downstream fraud.
Why It Matters
This incident is a clear illustration of how identity-based attacks on healthcare systems can outpace traditional detective controls once attackers integrate AI-driven automation. A single compromised clinician account produced a six-figure breach in days, with no malware deployment required and no perimeter to defend. Affected patients have no self-service remediation available; the centralized platform is operated by SPMS, the health ministry's shared services agency, leaving victims wholly dependent on the state's response. For European healthcare and other regulated sectors, the breach raises pressing questions about credential hygiene, anomaly detection on legitimate accounts, and the GDPR implications of mass exfiltration of special-category health data.
The Attack Technique
The initial access vector was the abuse of a legitimate doctor's SNS credentials, which the attackers used to query and pull patient records through the sanctioned clinical interface. Investigators believe AI was used to scale up record collection well beyond what a human operator could achieve manually, suggesting either scripted automation against the portal or LLM-assisted tooling to parse and prioritize records. Detection appears to have come from clinicians themselves, who noticed unauthorised access notifications on the SNS portal via Portugal's Chave Móvel Digital electronic identity system. SPMS has since deactivated the abused credentials, halted data exfiltration, seized machines for forensic analysis, and is rolling out additional hardening measures.
What Organizations Should Do
- Enforce phishing-resistant MFA on all clinical and administrative accounts that can access patient records, and treat single-factor or SMS-based fallbacks as unacceptable for high-value identities.
- Instrument anomaly detection on record-access behavior, including volume thresholds, off-hours queries, and geographic or device-fingerprint deviations, rather than relying solely on authentication success.
- Apply rate limiting and query quotas at the application layer so that no individual account can pull tens of thousands of records in a short window without triggering hard stops.
- Build out user-facing access transparency, similar to the SNS portal notifications that surfaced this incident, so clinicians and patients can spot misuse of their own identities quickly.
- Hunt proactively for credential reuse, infostealer-sourced logs, and session-token theft affecting clinical staff, and rotate credentials for any account flagged in third-party breach intelligence.
- Prepare incident response and GDPR notification playbooks specifically for AI-accelerated exfiltration scenarios, where the window between initial access and mass theft may be measured in hours rather than weeks.
Sources: Over 100,000 patient records 'stolen' in health service hack – Portugal Resident