Swedish Healthcare hotline in potential GDPR snafu after 2.7m sensitive calls exposed

170,000 hours of phone calls containing sensitive information were left exposed online for five years

A server used to store the calls made to the 1177 Swedish Healthcare Guide service, a hotline for healthcare information, has been found to be vulnerability-ridden and exposed 2.7 million sensitive phone calls between 2013 and 2018.

The open server could be accessed without using any login credentials and stored around 170,000 hours worth of phone calls containing sensitive information.

Advertisement - Article continues below

Around 57,000 of these phone calls, in which callers seeking advice also shared social security numbers, had filenames which featured the caller's phone number, reports Computer Sweden.

While recording sensitive phone calls isn't unusual (we've all been prompted that our phone calls may be monitored for training purposes), the fact that the server required no authentication to access it, is a major issue - one that could potentially lead to GDPR probes.

Upon examination, every single call found on the server could be accessed just by having the IP address and a web browser. The calls could be viewed in list form, dated, and either played straight in the web browser or downloaded as an .mp3 or .wav file.

"This is likely the worst privacy breach in Sweden in modern time," said Martin Jartelius, CSO at Outpost 24. "Looking at the breach, it is due to not only a lapse in security but a complete lack of any form of protection. The same company also exposed other outdated and very weakly protected services to the internet, some so outdated a modern system will not even be able to connect to them."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The server in question was also found to have 23 vulnerabilities on it, meaning that if it wasn't just open for anyone to see, it would most likely have been hacked at some point.

"The exposure of these call recordings is down to a security misconfiguration, and these kinds of issues are well known and currently rank at number 6 in the OWASP top 10 which documents the most critical software security flaws today," said Adam Brown, manager of security solutions at Synopsys.

"To avoid these kinds of issues, firms must have policy and process to continually monitor the security of production systems, and any findings from that process must be addressed and not simply left as a growing bug pile.

"Article 32 of the GDPR states that organisations must implement secure processing, taking into account the state of the art. This doesn't look the data processor has a defensible position in this case."

Advertisement - Article continues below

The hotline operates by triaging callers and then either referring them to local nursing teams or to outside contractors for over-the-phone healthcare advice.

This particular server belonged to Thailand-based, Swedish-owned Medicall, one of the aforementioned subcontractors used by the service to give advice.

Medicall is only used when the hotline and nursing staff are very busy and need extra help, the regions usually serviced by Medicall are Stockholm, Sdermanland and Vrmland.

Medicall uses a cloud-based call system which then saved recordings to the exposed servers. Access to the server has now been blocked.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Most Popular

Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/cloud/355098/ibm-dedicates-supercomputing-power-to-coronavirus-researchers
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020