Swedish Data Protection Authority Fines Medical Service €1.2 Million for a Data Leak

  • IMY has fined ‘Medhelp’ for its responsibility in Sweden’s worst data leak incident to date.
  • The fine was set to almost €1.2 million, while all of the other entities involved were deemed irresponsible.
  • The incident had resulted in the leaking of 2.7 million voice recordings from 2013 until 2019.

The Swedish Authority for Privacy Protection (IMY) has imposed a fine of 12 million SEK (€1,190,000) to ‘Medhelp’ for a sensitive data leak. More specifically, ‘Medhelp’ was offering a medical consultation line on 1177 and was recording the calls and storing them on a misconfigured server that didn’t even have a password set up. As such, it is considered certain that multiple unauthorized users accessed these calls and possibly even exfiltrated thousands of mp3 and WAV files.

The leak was discovered when a Swedish journalist received a tip from an anonymous source, the entity responsible for the operation of the service, ‘Voice Integrate Nordic AB,’ admitted the mistake and declared that they had not realized it previously. This kicked off an in-depth investigation from IMY, which has now been concluded and confirmed GDPR violations, as well as breach of the Patient Records Act.

Because Medhelp was the central medical care provider and the personal data controller, IMY holds them solely accountable for the violations, as they should take the appropriate technical and organizational measures to ensure that people’s sensitive data (in this case, the voice recordings) wouldn’t be accessible by third parties.

Medhelp was contracting Voice Integrate for operating the system, which in turn outsourced the reception of the calls to MediCall – a Thailand-based subcontractor. The accessible database was, in fact, a system used by MediCall. So in practice, they were the ones who made the configuration error. The companies above them were the ones that failed to perform the appropriate checks to ensure the security of the processed data.

The contracted entities failed to ensure data security and follow proper practices. Still, they do not fall under Swedish legislation on health and medical care, and neither were they obligated to comply with secrecy in health and the relevant legislation. As such, Voice Integrate will only be called to pay an administrative sanction of 650,000 SEK (€64,500). And finally, the administrative regions of Stockholm will also pay a fine of 500,000 SEK (€49,600) for failing to adequately inform its citizens on their rights against Medhelp.

As for the responsibility to notify the authorities and the people of the data breach, this burdens Medhelp, which is the only controller. IMY states that they received several notifications, which shows that even the various parties themselves were uncertain about who is responsible for what.

REVIEW OVERVIEW

Latest

Is It Okay to Charge iPhone 13, Mini, Pro, or Pro Max Overnight?

Without any doubt, there are plenty of misconceptions about charging iOS devices. That’s even more true now since this year’s iPhones have the...

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari