- A 1177 Swedish Healthcare Guide Service server used to store the phone calls made to the service for healthcare information was left unencrypted and exposed online with no user authentication requirement, according to IDG Computer Sweden.
As a result, 170,000 hours of 2.7 million medical calls and audio of these sensitive calls going back to 2013 were left open to the public and could be downloaded or listened to by anyone, without using a password. The calls were answered by Medicall and stored as MP3 or WAV audio files.
The conversations included conversations about diseases and other medical questions, with callers discussing their symptoms, medications, or previous medical treatments. For about 57,000 individuals, phone numbers were also included in the compromised files.
Other files contained questions about their children or other relatives, which may include stating their child’s Social Security number, their symptoms, and potential treatment options.
What’s worse is that when the flaw was discovered the server was still in use by 1177, which means that those recordings were still being added in real-time.
Medicall contracted with a Swedish company that provides remote care and healthcare counseling services, MedHelp, which has an agreement with three of the regions involved in the leak, under contract with Inera, another Swedish company.
Tommy Ekström, CEO of Voice Integrate Nordic, told IDG, “This is catastrophic, it's sensitive data. We had no idea that it was like this. We will, of course, review our systems and check out what may have happened… It is sad, so this should not be.”
Following the report of the data leak, the server was either shut down or access was shut off, as it’s no longer open to the public.
“1177 The healthcare guide on telephone responds to health and care issues from the public. Each region is responsible for the operation of the service 1177,” Inera posted in a comment to IDG. “The healthcare guide on the telephone and Inera is responsible for coordination, medical decision-making and the brand. For 18 of the 21 regions, Inera also supplies telephony and medical records.”
“Inera takes this very seriously and works with the three affected regions and subcontractors to analyze the problem and ensure that it is rectified,” they added.
Given 1177 falls under the EU’s General Data Protection Regulation, the penalties could be severe. The breach should serve as a reminder to US healthcare organizations to ensure strong vendor management and understand where data resides with routine inventory.