An call center subcontractor handling Sweden’s 1177 medical assistance phone service left a web server containing 2.7 million healthcare related calls exposed on the internet since 2013.
The national 1177 service is used by the public in Sweden to ask medial professionals questions about health issues, including counseling services, and is commonly used by parents to ask for medical help for their children. Callers need to state their ‘personnummer’ or social security number when calling.
IDG's Computer Sweden reports the recorded calls were left exposed on a server operated by MediCall, an outsourced call-centre provider that’s based in Thailand, but owned by Swedish nationals.
MediCall is a subcontractor to Stockholm firm, Medhelp, the primary contractor that supplies 1177 call services to Inera, the Swedish company that actually heads up the national 1177 service. It's jointly owned by Sweden’s 21 regions and municipalities.
Although the Inera 1177 service is national, Medhelp only handle calls from Stockholm, Södermanland and Värmland.
MediCall was using a cloud-based call center system, part of which included a storage device to store the recorded calls.
Prior to today’s publication, all 2.7 million call recordings were accessible remotely from any browser if the IP address of the web server is known. It's not known how many people were affected, however the audio files totaled 170,000 hours of calls logged over six years. The server did not require any authentication to access the audio files and browser connections to the web server were not encrypted using HTTPS.
Computer Sweden was informed of the unprotected server by an anonymous tipster from the public, though it's not known whether anyone else but the tipster and Computer Sweden accessed the files.
The affected MediCall storage device was taken offline ahead of the report.
MediCall's call centre system was developed by Swedish tech company Voice Integrate Nordic and the openly accessible data was stored on a related firm's storage device that MediCall was using. Tommy Ekström, the CEO of Voice Integrate Nordic, said the leak was "catastrophic" due to the sensitivity of the information.
Inera confirmed in a statement that a security issue had been discovered and remedied by the subcontractor, but distanced itself from the issue, noting that it doesn’t have any agreement with the subcontractor.
The calls however are recorded for Inera's purposes, which it said was for its staff to go back and check the quality of the calls.
Inera noted that the subcontractor provided the service for regions that don’t use Inera’s own telephony and journal system, which is used by 18 of Sweden’s 21 regions but not the three regions whose recorded calls were affected.
With Europe's GDPR laws, it's likely the incident will attract a review by Sweden's data protection authority to determine which organization was responsible for the unprotected server. GDPR's definitions for data controller and data processor require a contract between the parties.
Another question that could arise is whether the call recordings needed to be retained for six years. GDPR requires the data is not kept for any longer than needed for the purposes it is processed, which in this case was for call quality assurance.