Healthcare hotline in Sweden suffers data breach

The Swedish Healthcare Guide service, which patients can call over the phone, has divulged that multiple vulnerabilities in its systems led to the exposure of information from 2.7 million sensitive calls for five years.

The service’s open server had no login credentials, which meant that 170,000 hours of phone calls made between 2013 and 2018 could be accessed freely, reports reveal.

Callers in search of health consultation shared social security numbers in around 57,000 of the calls, which linked to callers’ phone numbers. While users are usually told that phone calls are recorded for training purposes, the absence of the server security opens the doors to a possible GDPR investigation.

Analysis found that an IP address and a web browser were all that was needed to gain access to every call stored on the server, and that these could be opened or downloaded freely in a range of formats.

Martin Jartelis, CSO at Outpost 24 described the breach as “the worst in Sweden in modern time.”

“Looking at the breach, it is due to not only a lapse in security but a complete lack of any form of protection. The same company also exposed other outdated and very weakly protected services to the internet, some so outdated a modern system will not even be able to connect to them.”

“The exposure of these call recordings is down to a security misconfiguration, and these kinds of issues are well known and currently rank at number 6 in the OWASP top 10 which documents the most critical software security flaws today,” said Adam Brown, manager of security solutions at Synopsys.

“To avoid these kinds of issues, firms must have policy and process to continually monitor the security of production systems, and any findings from that process must be addressed and not simply left as a growing bug pile.

“Article 32 of the GDPR states that organisations must implement secure processing, taking into account the state of the art. This doesn’t look the data processor has a defensible position in this case,” Mr Jartelis said.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.