Millions of Sensitive Swedish Medical Calls Leak Out

AlphaAtlas

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
According to a recent BBC report, about 2.7 million calls made to a Swedish national health service telephone line have been "exposed." The calls date back to 2013, and supposedly contain sensitive medical information and social security numbers, while Martin Svensson says that there was no encryption or authentication on the server the calls were found on. From the looks of things, all 170,000 hours of those calls were stored out in the open as uncompressed, unprotected .wav files, but access to the website is "currenty blocked."

"We were absolutely astounded by what we found on there. People talking about their symptoms, diseases, their kids' illnesses, giving out their social security numbers. This data is as private as it gets," explained Marcus Jerrang, editor-in-chief at Computer Sweden. Sweden operates a national advice line - 1177 - run by a firm called Medhelp. In turn, this Swedish firm subcontracts out-of-hours calls to Medicall. Medicall had not responded to requests for comment from the BBC. Mr Jerrang told the BBC that a brief conversation between the reporter who uncovered the website and Medicall chief executive Davide Nyblom ended with him denying such a breach was possible and then hanging up when the reporter offered to play one of the files.
 
Shooo, I thought they meant Swedish in Seattle.
Pay your IT well and mix old dogs and new blood, plus hire some penetration testers and stop skimping on security.

My opinion.
 
viper1152012 said:
Shooo, I thought they meant Swedish in Seattle.
Pay your IT well and mix old dogs and new blood, plus hire some penetration testers and stop skimping on security.

My opinion.
Click to expand...
Go old school and keep sensitive data from being accessable remotely. Need to transfer documents from one hospital to the next, then you call the hospital and someone walks to a room with all the data on computers, plugs in a USB drive to get all the data on that individual, they then walk to another room where an internet capable computer is located and you plug in said USB drive which transfers the info to the other hospital after which the USB drive wipes itself clean, and at the other end is similar computer where the information is uploaded straight to their USB drive to which they grab that walk to a similar information room with non-internet computers plug in their drive which moves the data onto their systems again wiping the USB drive once the data transfer is complete.

Fool proof? nah, but we should be very careful about how much security we potentially give up all for the sake of convenience.
 
viper1152012 said:
Shooo, I thought they meant Swedish in Seattle.
Pay your IT well and mix old dogs and new blood, plus hire some penetration testers and stop skimping on security.

My opinion.
Click to expand...

In other words dont let the government do it because it will always be skimped because we never fund anything correctly.

sfsuphysics said:
Go old school and keep sensitive data from being accessable remotely. Need to transfer documents from one hospital to the next, then you call the hospital and someone walks to a room with all the data on computers, plugs in a USB drive to get all the data on that individual, they then walk to another room where an internet capable computer is located and you plug in said USB drive which transfers the info to the other hospital after which the USB drive wipes itself clean, and at the other end is similar computer where the information is uploaded straight to their USB drive to which they grab that walk to a similar information room with non-internet computers plug in their drive which moves the data onto their systems again wiping the USB drive once the data transfer is complete.

Fool proof? nah, but we should be very careful about how much security we potentially give up all for the sake of convenience.
Click to expand...

That and dont trust the government to handle it because their solution WILL be bad and it WILL make everyone unhappy.
 
kju1 said:
In other words dont let the government do it because it will always be skimped because we never fund anything correctly.
Click to expand...

Well the reason for the leak was shit private contractor because they sold the service requested at the lowest price. If they'd gone with some other more expensive contractor there would be a lot of explanation to why they wanted to waste taxpayer money, there's a law in place for how contract work outsourcing etc supposed to work and part of it is about not wasting money..

And the calls that was leaked was made to a medical helpline basically where you get help, suggestions and so on in non-emergency related situations they where recorded and automatically uploaded to a unprotected server that you only needed IP-adress and subfolder.. The way that company did it is just jaw dropping incompetent and I hope that company gets sued out of businesses, if you don't get why you encrypt and password protect you have no business in IT.

But on that subject one of the better (local storage and support, secure to everyone's knowledge, not wastefully expensive) IT solutions for government needs in Sweden is actually the one maintained by the National Insurance and several departments switched to it from various other IT outsourcing etc because they weren't happy with offerings by the big IT firms...
 
I live in Sweden and first time I heard about it is here. This is really bad. I can tell you it's going to start a shit storm because it's not yet widely available information. 1177 is what everyone calls to get suggestions and tips on medical issues. I never called so I'm not affected by it, but I log in to their website to book time, contact etc my hospital.
 
There's a real storm brewing in Sweden now, caused by this. The (accidental) publication of sensitive data is (probably) a violation against several laws, and the authority of data protection will look deeply into the matter.

Computer Sweden, the magazine that originally found this out, has also uncovered some more details.
Seems like the culprit lies with a subcontractor several layers down: The call center's phone system provider!
The software used by the call center seems to have a default setting to record every incoming call and store it on that server. This was allegedly not known by the call center. It was found out by CS also finding recordings of calls for medical transport, which are not to be recorded in the first place.
 
You must log in or register to reply here.
Back
Top