- An open and unprotected database with recorded phone calls exposed the sensitive information of the callers.
- The discovery was made by a Swedish reporter who received a relevant tip, so the database had been probably accessed multiple times.
- The companies behind the database never realized the significance of securing such sensitive data.
According to a report by Lars Dobos and the IDG.se, Sweden just had the worst healthcare security incident in its history, exposing 2.7 million calls that people made to the 1177 Healthcare Guide service from 2013 until today. The audio files were stored on a server that the reporter could access all of them without having to enter a password or any other form of authentication. The server was running on a deprecated and highly insecure Apache HTTP 2.4.7 that was released back in 2013, and thus it is plagued by numerous vulnerabilities anyway.
As it becomes readily apparent, many of these calls contain names, social security numbers, telephone numbers, health problem details, etc. Thus, the information given in the calls is highly sensitive and should be protected behind a strong layer of security in an up-to-date server. This violates all aspects of the GDPR regulations and the Swedish patient protection law, so who is to blame for this? The database was used by MediCall, who is a Thailand-based subcontractor of the Voice Integrate Nordic AB. In the same matrix of responsibility, there’s also the MedHelp healthcare counseling service provider that outsourced 1177 Care Guide to MediCall.
Lars Dobos called Nordic and spoke with their CEO, Tommy Ekström, who couldn’t believe this was actually happening. As he stated: “This is catastrophic, it's sensitive data. We had no idea that it was like this. We will, of course, review our systems and check out what may have happened.”
The fact that new calls were being added in real-time and the reporter could access them indicated that the database was still in regular operation service at the time of the discovery. How long and when it opened to the public for the first time, who got access to it, and how many times remain to be answered after a more in-depth investigation.
The “free access” to the database has now been closed, and the mp3 and wav files in it are no longer reachable, but people could previously download them, so it’s possible that a dump is for sale on the darknet.
Have you ever used the 1177 Healthcare Guide on Sweden? Are you planning to exercise your rights against the companies responsible for the leak of your phone call? Let us know in the comments below, and help us spread the word about the incident by sharing this story through our socials, on Facebook and Twitter.