Polícia Judiciária Tallies the SNS Administrative-Data Heist at More Than 100,000 Users Across Continental and Island Portugal — Compromised Doctor Credentials and Suspected AI Compression Define the Investigation Frame

The Polícia Judiciária's Unidade Nacional de Combate ao Cibercrime e à Criminalidade Tecnológica (UNC3T) has tallied the May 2026 unauthorised-access incident at the Serviço Nacional de Saúde at more than 100,000 affected utentes across the entire Portuguese territory, including the Azores and Madeira island networks. The file was disclosed on Monday 25 May 2026 by UNC3T director José Ribeiro and confirms the breach ran through legitimate professional credentials of a doctor attached to the Unidade Local de Saúde do Alto Minho — credentials the ULS Alto Minho clarified were compromised by third parties rather than misused by the physician.

The Numbers Behind the File

The 100,000+ tally was assembled through SNS24 portal notifications: utentes received automated alerts via the Chave Móvel Digital and the SNS24 app when their record — or that of a minor under their custody — was accessed by the compromised credential set. The PJ has emphasised the access concentrated on administrative records (clinical-data exfiltration remains under investigation) and unfolded across days rather than the multi-month windows typical of legacy SNS data-access patterns. Ribeiro stated the extraction velocity is what is driving the investigation's suspicion that artificial intelligence was used to script the parallel queries: 'what would have taken three months took days.'

Ministry Response

Ministry of Health services confirmed via the PJ that the compromised credentials have been deactivated, exfiltration has been halted, the relevant machines have been pulled for forensic analysis, and additional security-reinforcement measures are underway. No suspects have been named; investigators are weighing multiple scenarios — malicious intent, commercial data resale, foreign-state involvement, or espionage — with Ribeiro telling the press 'at this moment, everything is possible.'

The Wider Cybercrime Tape

The breach lands inside a heavier Portuguese cybercrime cycle. The Centro Nacional de Cibersegurança's 2025 file logged 3,864 cybersecurity incidents in Portugal in 2025, a 40% year-on-year lift on 2024, with roughly half of the cases tracing to human-factor exploits — exactly the credential-compromise vector that drove the SNS incident. The intelligence services have also flagged Russian cyber-campaign activity aimed at Portuguese officials through 2025 and 2026.

What This Means for Expats — The Bottom Line

• Check your SNS24 notification feed. The Chave Móvel Digital and the SNS24 app surface every access to your record; if you received an alert and did not authorise the visit, the access is already captured in the PJ's investigation set — you do not need to file a separate complaint.
• Your número de utente is not the password to your record. Any legitimately issued professional credential inside the SNS network — doctors, administrative staff, certain contracted personnel — can pull an administrative record without further authentication. The mitigation lives in the access-log layer, not the credential layer.
• Watch for follow-on phishing. Administrative-record exfiltration typically powers a second-stage social-engineering wave: fake 'SNS24 notification' SMS, spoofed 'ULS' emails asking for re-authentication, MB Way reset requests timed to a hospital visit. Hang up and call the centre back on the number printed on your cartão de utente.
• Lodge a CNPD notification if you want a paper trail. The Comissão Nacional de Proteção de Dados is the supervisor for personal-data breaches; the standard 72-hour reporting window applies to the controller (the Ministry of Health), but private utente complaints can still be filed at cnpd.pt and will be tied into the same investigation graph.
• Do not change your SNS24 password — there is nothing to change at the utente layer. The compromised credential set was on the institutional side. Utente-side credentials (Chave Móvel Digital, SNS24 account) were not the access vector. Strengthening your CMD password will not address this incident.

The Ministry of Health has not yet posted a consolidated statement on its institutional site; the PJ's UNC3T expects to publish the next update once the credential trail is reconstructed and the question of whether clinical-record access occurred alongside the administrative-record sweep is closed out.