Unprotected Swedish Health-Line Database exposed 2.7 Million Calls

  • An open and unprotected database with recorded phone calls exposed the sensitive information of the callers.
  • The discovery was made by a Swedish reporter who received a relevant tip, so the database had been probably accessed multiple times.
  • The companies behind the database never realized the significance of securing such sensitive data.

According to a report by Lars Dobos and the IDG.se, Sweden just had the worst healthcare security incident in its history, exposing 2.7 million calls that people made to the 1177 Healthcare Guide service from 2013 until today. The audio files were stored on a server that the reporter could access all of them without having to enter a password or any other form of authentication. The server was running on a deprecated and highly insecure Apache HTTP 2.4.7 that was released back in 2013, and thus it is plagued by numerous vulnerabilities anyway.

As it becomes readily apparent, many of these calls contain names, social security numbers, telephone numbers, health problem details, etc. Thus, the information given in the calls is highly sensitive and should be protected behind a strong layer of security in an up-to-date server. This violates all aspects of the GDPR regulations and the Swedish patient protection law, so who is to blame for this? The database was used by MediCall, who is a Thailand-based subcontractor of the Voice Integrate Nordic AB. In the same matrix of responsibility, there’s also the MedHelp healthcare counseling service provider that outsourced 1177 Care Guide to MediCall.

Lars Dobos called Nordic and spoke with their CEO, Tommy Ekström, who couldn’t believe this was actually happening. As he stated: “This is catastrophic, it’s sensitive data. We had no idea that it was like this. We will, of course, review our systems and check out what may have happened.”

The fact that new calls were being added in real-time and the reporter could access them indicated that the database was still in regular operation service at the time of the discovery. How long and when it opened to the public for the first time, who got access to it, and how many times remain to be answered after a more in-depth investigation.

The “free access” to the database has now been closed, and the mp3 and wav files in it are no longer reachable, but people could previously download them, so it’s possible that a dump is for sale on the darknet.

Have you ever used the 1177 Healthcare Guide on Sweden? Are you planning to exercise your rights against the companies responsible for the leak of your phone call? Let us know in the comments below, and help us spread the word about the incident by sharing this story through our socials, on Facebook and Twitter.

REVIEW OVERVIEW

Latest

NBCUniversal’s Streaming Platform ‘Peacock’ Is Landing on Amazon’s Fire TV Today

Users of Fire TV devices will finally be able to enjoy ‘Peacock’ content on their Amazon hardware.This has been requested warmly by...

Dell Fixes Multiple BIOS Vulnerabilities Affecting Millions of Its Computers

Tens of millions of Dell computers are vulnerable to arbitrary remote code execution flaws.The problem lies in BIOS components that come as...

Former Executives of French Spyware Firms ‘Nexa’ and ‘Amesys’ Indicted for Aiding Torture

Four former executives of two French spyware firms have been indicted in Paris for aiding torture in Africa.These people were determined to...