Millions of highly sensitive audio files linked to a Swedish healthcare hotline have been left exposed online for several years, in what could be a major breach of the GDPR.
The 2.7 million files in question amount to 170,000 hours of calls, dating back to 2013 and left on an open Apache web server with no password protection, according to local reports.
The calls, recorded for quality assurance purposes, detail highly sensitive information on illnesses and, in some cases, social security numbers, as well as saved phone numbers for around 57,000 callers.
The 1177 Healthcare Guide (Vårdguiden) service is run by government contractor MedHelp, which sings the praises of the service on its website. It appears to have outsourced the operation of the service to MediCall, a Thai-based but Swedish-owned company, which used cloud-based call system Biz 2.0 from Voice Integrate Nordic AB.
When informed of the privacy snafu, the CEO of MediCall, Davide Nyblom, refused to believe that the incident had occurred, although Voice Integrate Nordic boss, Tommy Ekström, was more concerned.
"This is catastrophic, it's sensitive data. We had no idea that it was like this. We will, of course, review our systems and check out what may have happened,” he’s quoted as saying.
Inera, the agency which co-ordinates digital projects for the Swedish regions and is responsible for the 1177 brand, sought to distance itself from the issue.
“A safety [issue] has been discovered and remedied by the subcontractor who has been engaged in the three regions that do not use Inera's telephony and journal systems: Stockholm, Värmland and Sörmland. Inera does not have agreements with the relevant subcontractor,” it said in a statement.
“Inera takes this very seriously and works with the three affected regions and subcontractors to analyze the problem and ensure that it is rectified.”
Experts were quick to speculate about a GDPR investigation.
“This is the exact kind of system for which the GDPR should matter and why privacy needs to be taken seriously,” argued Outpost24 CSO, Martin Jartelius. “Furthermore, it is so upsetting to note that someone who takes the right and obligation to record our most private conversations have both a legal and ethical responsibility to keep this data safe — and they failed. Not because of an advanced attack, but for lack of even trying.”
Adam Brown, manager of security solutions at Synopsys, added that security misconfigurations like this continue to be a major threat to firms.
“To avoid these kinds of issues, firms must have policy and process to continually monitor the security of production systems, and any findings from that process must be addressed and not simply left as a growing bug pile,” he added.
“Article 32 of the GDPR states that organizations must implement secure processing, taking into account the state of the art. It doesn’t look like the data processor has a defensible position in this case."