Audio recordings of 2.7 million calls made to 1177 Vårdguiden – the Swedish health care hotline – have been made available to everyone online, according to Sweden's technical publication Computer Sweden.
The 170,000 hours of extremely sensitive calls were stored on an open web server without any encryption or authentication, leaving personal information entirely within the reach of anyone with a web browser.
– @mikko (@mikko) February 18, 2019
Computer Sweden listened to some recordings after trying to limit the exposure, ie to wait for the site to be secure. The calls included sensitive information about patients' illnesses and conditions, medications and medical history. In some examples, people had described the symptoms of their children and given their social security number.
Some files include the phone numbers from which calls were made. Approximately 57,000 numbers appear in the database, many of which are callers' personal numbers, making it easy to match information with a particular person.
We still do not know how long the calls were available, who is at the origin of the violation and if bad actors have already had access to the information.
However, it appears that the divulged calls were all made to the contractor of 1177 Vårdguiden, Medicall, a Thai-based company owned by Swedes. Davide Nyblom, President and CEO of Medicall, denied that this happened despite the many contradictory evidence.
The magnitude and incompetence of the data breach is staggering and it is more than likely that an inquiry will be opened on the issue – especially given the clear position of the GDPR on how personally identifiable information should be processed.
What big cities can learn from the small Swiss city with a bus without driver