Swedish Data Protection Authority Fines Medical Service €1.2 Million for a Data Leak

• IMY has fined ‘Medhelp’ for its responsibility in Sweden’s worst data leak incident to date.
• The fine was set to almost €1.2 million, while all of the other entities involved were deemed irresponsible.
• The incident had resulted in the leaking of 2.7 million voice recordings from 2013 until 2019.

The Swedish Authority for Privacy Protection (IMY) has imposed a fine of 12 million SEK (€1,190,000) to ‘Medhelp’ for a sensitive data leak. More specifically, ‘Medhelp’ was offering a medical consultation line on 1177 and was recording the calls and storing them on a misconfigured server that didn’t even have a password set up. As such, it is considered certain that multiple unauthorized users accessed these calls and possibly even exfiltrated thousands of mp3 and WAV files.

The leak was discovered when a Swedish journalist received a tip from an anonymous source, the entity responsible for the operation of the service, ‘Voice Integrate Nordic AB,’ admitted the mistake and declared that they had not realized it previously. This kicked off an in-depth investigation from IMY, which has now been concluded and confirmed GDPR violations, as well as breach of the Patient Records Act.

Because Medhelp was the central medical care provider and the personal data controller, IMY holds them solely accountable for the violations, as they should take the appropriate technical and organizational measures to ensure that people’s sensitive data (in this case, the voice recordings) wouldn’t be accessible by third parties.

Medhelp was contracting Voice Integrate for operating the system, which in turn outsourced the reception of the calls to MediCall - a Thailand-based subcontractor. The accessible database was, in fact, a system used by MediCall. So in practice, they were the ones who made the configuration error. The companies above them were the ones that failed to perform the appropriate checks to ensure the security of the processed data.

The contracted entities failed to ensure data security and follow proper practices. Still, they do not fall under Swedish legislation on health and medical care, and neither were they obligated to comply with secrecy in health and the relevant legislation. As such, Voice Integrate will only be called to pay an administrative sanction of 650,000 SEK (€64,500). And finally, the administrative regions of Stockholm will also pay a fine of 500,000 SEK (€49,600) for failing to adequately inform its citizens on their rights against Medhelp.

As for the responsibility to notify the authorities and the people of the data breach, this burdens Medhelp, which is the only controller. IMY states that they received several notifications, which shows that even the various parties themselves were uncertain about who is responsible for what.