Yesterday, Computer Sweden revealed that 2.7 million recorded calls to Sweden’s 1177 medical assistance phone service were left without password protection or encryption security, on an open web server. The server was operated by MediCall, an outsourced call-center provider based in Thailand, but owned by Swedish nationals. MediCall is a subcontractor to Medhelp, a Stockholm firm, and the primary contractor that supplies 1177 call services to Inera, the Swedish company that heads up the national 1177 service. Inera is jointly owned by Sweden’s 21 regions and municipalities.
Inera stated that the calls are recorded to check their quality. They further confirmed that the security issue had been discovered and remedied by the subcontractor, but added that it doesn’t have any agreement with the subcontractor.
The report by Computer Sweden reveals that 2.7 million call recordings, and a total of 170,000 hours of calls logged over six years, could be remotely accessed from any browser if the IP address of the web server was known. No authentication was required to access the audio files and browser connections to the web server were not encrypted using HTTPS.
Computer Sweden listened to some of the recordings to understand the severity of the issue and they found that the calls included sensitive information about patients’ diseases and ailments, medication, and medical history. People also described their children’s symptoms and provided their social security numbers for assistance.
MediCall’s call center system was developed by Swedish tech company Voice Integrate Nordic. Tommy Ekström, the CEO of Voice Integrate Nordic, said the leak was “catastrophic” due to the sensitivity of the information.
Access to the storage device has now been closed after the review done by Computer Sweden.
Users are now speculating if the incident will attract attention from Europe’s GDPR laws. It’s likely that Sweden’s data protection authority will try to determine which organization was responsible for the unprotected server. GDPR also requires the data is not kept for any longer than needed for the purposes it is processed. In this case, the data has been exposed on the internet since 2003.