Peter Macdiarmid/Getty Images for Somerset House
show image

Millions of Swedish patients’ data has been left exposed online

Millions of calls made by Swedish patients to a healthcare advice line have been exposed online, it emerged earlier this week.

An investigation by Computer Sweden published on Monday (18 February) revealed that 2.7 million recorded calls to the Swedish Healthcare Guide service had been stored on a non-password protected open web server.

The database, which could be accessed using the IP address and a web browser, included calls made between 2013 and 2018 and 170,000 hours of conversations. Some 57,000 of the sound files also disclose phone numbers. Access has now been blocked.

It’s feared that a number of the calls may also have been made by parents in relation to children’s symptoms.

Anjola Adeniyi, technical account manager at Securonix, warned that the incident could lead to a fine under the EU’s General Data Protection Regulation.

“It’s often said that Sweden tops the world rankings for best healthcare, however in this instance the Swedish Healthcare Guide service has failed in its corporate governance and duty of care to its patients and citizens.

“GDPR has a clear stance on how personally identifiable information should be handled, which the Swedish Healthcare Guide service has failed to meet and consequently they should be held accountable.

“For a breach like this to occur in the healthcare industry is rather shocking as it’s known for handling sensitive data, and organisations can look to the HIPAA regulation as a standard even when it doesn’t apply to them.”

Commenting on the news, Martin Jartelius, CSO of Outpost24, added: “This is likely the worst privacy breach in Sweden in modern times. Looking at the breach, it is not only due to lapse security, but a complete lack of any form of protection.”