
2.7M medical calls breached in Sweden - skekaeeeww
https://mobile.twitter.com/mikko/status/1097510234220826624?s=21
======
Sverigevader
On my machine Google translate seems to "boot-loop" that site because of the
cookie settings so I'll just do this:

Files were stored on a server using HTTPS but requiring no credentials.
[http://188.92.248.19:443/medicall/](http://188.92.248.19:443/medicall/) Part
of the calls were saved as .mp3s with the customers phone number as file name.
CEO when confronted wouldn't believe it and hung up when the reporter asked if
he could play one of the tapes.

The articles states that the server was a NAS (nas.applion.se).

All files have been available since 2013.

When calling 1177, there's no need to identify yourself with your personal
identity number. You can if you want to if your medical history is of
significance to your call.

Source: Am swede and this article...
[https://computersweden.idg.se/2.2683/1.714787/inspelade-
samt...](https://computersweden.idg.se/2.2683/1.714787/inspelade-
samtal-1177-vardguiden-oskyddade-internet)

And I want you guys to hear it from me before you hear it on the streets... I
once called 1177 wanting to order a new pair of knees because one of mine
hurt. The nurse who answered had a good laugh.

~~~
draugadrotten
The breach is still ongoing, according to statements on the dark web, 30
minutes ago (21:10 CET).

"Tror ni inkompetensen är över? Nej. Man har inte dragit ut sladden. Kör
wireshark och skicka skräppacket så ser ni att det enda som filtreras är syn-
ack från servern.Slumpade seq-nr i respons bara någon timme och upprättade
till slut en anslutning. Vad tror ni jag ser? Färska samtal från bara några
sekunder sen i mappen /2019/."

Translates to: Do you think incompetence is over? No. They have not pulled out
the cable. Run wireshark and send junk packets and you will see that the only
thing that is filtered is syn-ack from the server. Sent random seq-no in
response for an hour and finally made a connection. What do you think I see?
Fresh calls from just a few seconds ago in the folder / 2019 /.

~~~
z3t4
How can you make a connection by guessing seq nr ? What is the firewall rule
that allow such an attack ?

~~~
brianpgordon
My guess is that there were still some hosts allowed through the block (e.g.
whatever is writing to that NAS), and that they were accessing the NAS with
frequent new connections. The firewall only tracked transport layer state so
the bad guy was able to hijack an existing session by sneaking in a correctly-
numbered TCP segment inside an IP packet with his own IP address as the
source.

------
testplzignore
There are quite a few hosts responding on port 80 in the 188.92.248.0/21
subnet, including versions of httpd and php over a decade old. I wouldn't be
surprised if there are more things unsecured. Yikes.

~~~
z3t4
Not a good idea to show the ip addr in the screenshot.

------
liquidise
Let's talk legal ramifications.

The cause of technical breaches falls onto a sliding scale in my mind. That
scale goes from pure technical negligence to overbearing technical complexity.

This breach seems like pure negligence. In a surgery this wouldn't be
"complications", it would be malpractice. Does GDPR protect those breached
here? What recourse do these people have?

We really need to change the narrative around data. It should be a liability.
Unlike other disruptions software drives, this will need to be driven by
governments.

~~~
acd
Sure!

Breach against patientdatalagen and GDPR

Shall be encrypted so that the patients identity are protected.

"Uppgifter om en patients identitet som har dokumenterats inom hälso- och
sjukvården och som landstingen ska sambearbeta med sådana uppgifter som avses
i första stycket, ska vara krypterade så att patientens identitet skyddas vid
behandlingen. Lag (2013:1024)." "Information about a patient's identity that
has been documented in the health and medical care and which the county
councils are to co-operate with the information referred to in the first
paragraph, shall be encrypted so that the patient's identity is protected
during the treatment. Swedish law (2013: 1024)"

Transfer of personal data outside EU Tredjelandsöverföring. "Transfers of
personal data to third countries or international organisations" Thailand is
not on the list of authorized countries. [https://gdpr-
info.eu/chapter-5/](https://gdpr-info.eu/chapter-5/)

The GDPR section about sensitive data records * medical records.

Den personuppgiftsansvarige ska genomföra lämpliga tekniska och
organisatoriska åtgärder för att, i standardfallet, säkerställa att endast
personuppgifter som är nödvändiga för varje specifikt ändamål med behandlingen
behandlas. Den skyldigheten gäller mängden insamlade personuppgifter,
behandlingens omfattning, tiden för deras lagring och deras tillgänglighet.
Framför allt ska dessa åtgärder säkerställa att personuppgifter i
standardfallet inte utan den enskildes medverkan görs tillgängliga för ett
obegränsat antal fysiska personer.

Further persons working at tillsyndsmyndigheter may have done "Tjänstefel",
that is fault committed by a public sector official servant that is not minor.
20 kap. Om tjänstefel m. m. "Section 1 Anyone who intentionally or negligently
neglects the exercise of authority by action or omission shall be sentenced
for misconduct for fines or imprisonment for a maximum of two years. If the
act, having regard to the perpetrator's powers or the task's relation to the
exercise of authority in other respects or to other circumstances, is to be
regarded as poor, shall not be held liable."

Failure to run a network security scanner, failure to encrypt sensitive data
records, failure to use passwords, failure to limit access to sensitive
records

------
jdmoreira
Either me, my girlfriend or both of us are in those phone calls.

I feel absolutely betrayed by the state. I always knew that Sweden's obsession
with medical data collection would back-fire but audio recordings? That's just
too much.

I hope everyone involved gets sued into oblivion!

~~~
tapland
Stockholms landsting. The landsting are absolutely disgusting when it comes to
handing out important tasks to private companys.

I have _REALLY_ serious info in there, and so do members of my family, that
can not get out. But it's effing public, and the CEO of the company
responsible is handling it like an asshole and Stockholms Landsting will just
add it to the pile of fuckups.

It would literally take less than a minute for a red team with IP adresses to
find this out, if they ever so much as cared to consider IT-security. Why
doesn't the local government force subject the companies they hand contracts
to to that?

~~~
candiodari
This is a far more general problem of states in general. They always see
themselves above the rules they apply to others and this is particularly
problematic in the medical realm, but also affects criminal justice for
example.

Governments just don't follow their own rules. This means that medical files
just aren't trustworthy anymore, in the sense that the patient has no control
over who sees these and how far they are sent.

I could say "this is a problem in the Netherlands, Belgium, UK and US" where I
know the situation is that essentially any doctor or medical staff anywhere
can see everything in your file, related or not (e.g. in Belgium a pharmacist
getting a woman's birth control prescription can see if they were ever treated
in psychiatric care. Hell, the way the system looks, it'd literally be hard
for the pharmacist not to notice). These files can even be used against you in
a court of law, for example by child services.

Not that all these countries aren't very busy introducing new ways to have the
state do whatever they want to do without judicial intervention (Belgium "GAS
boetes" and "snelrecht", Netherlands "ZSM"), and just not care how much damage
is caused to save a few bucks.

So what are you to do as a patient ? You cannot have this file destroyed,
because these people have exceptions to every known privacy law. You can
usually in theory have it corrected, but the system these governments put in
place is fragmented into hundreds of pieces and nobody knows how it works, so
good luck. Additionally actually getting them to cooperate even using an order
from a judge is near impossible, and the systems may literally not support
corrections in some cases.

At this point the only advice you can give is to please ask every doctor you
ask to not make any notes or files on you at all, and just deal with that. "I
travel a lot and this just causes trouble" is a useful phrase in that regard.

~~~
sz4kerto
Plug: this is what we're trying to solve (amongst other things) at Patients
Know Best. Giving the control back to the patient (you should always have full
access to all data about yourself, and be able to control sharing of these
records). We're mostly present in the UK at the moment.

~~~
tapland
The question is who stores the data. If you manage to let the patients keep it
locally or in physical media it's insane. If you are keeping it for them it's
the same worries as any other service.

This was not journals though, but calls to nurses.

~~~
sz4kerto
We store data for you in a way that's considerably more secure and paranoid
than how other providers work -- quite similarly to CryptDB. We can access
your data when serving it to you, but your medical data is never stored on
disk with a key that we store (it's derived from your password, and we throw
it away after serving you through HTTP).

------
tapland
Yep. My calls with personal identification number are absolutely in there,
with list of 10+ medications, and medical history including genetic disorders
and other things.

Imagine becoming a public person in the future with random russian mobs
blackmailing me based on me and my family's medical history.

~~~
MasterScrat
> My calls with personal identification number are absolutely in there

Is this an assumption, or were you able to find a list of leaked calls
somewhere?

~~~
danieka
If so, please provide details on how can verify if my details are in there as
well.

Slightly pissed of Swede who called 1177 just last week here. Still I'm glad
this happened after GDPR, this means everyone who's personal details were
compromise should have plenty of legal options right now.

~~~
chopin
GDPR doesn't give you any legal option aside from asking your data protection
authority.

~~~
danieka
Check out Art. 82, right to compensation. I would also be disappointed if this
did not turn into a class action.

------
teddyh
Latest news: The company with the security breach reports the reporter and
news organization to the police for unauthorized entry into their computer
system:

[https://www.dn.se/sthlm/medhelp-polisanmaler-tidningen-
compu...](https://www.dn.se/sthlm/medhelp-polisanmaler-tidningen-computer-
sweden/)

~~~
teddyh
Non-paywall: [https://www.svt.se/nyheter/medhelp-anmaler-computer-
sweden](https://www.svt.se/nyheter/medhelp-anmaler-computer-sweden)

------
rollulus
Seeing posts like this remind me of a nice quotation I saw somewhere, which is
like "all data will eventually be either public or gone forever".
Unfortunately my search skills are insufficient to find the exact wording or
author.

~~~
lucb1e
I'm okay with that: when I'm dead, do with my data what you will (of course,
so long as anyone implicated like chat partners in chat data, are also dead).
But I guess the quote refers to shorter timespans than that.

~~~
oldmanhorton
Except with medical history, your data can impact your children and
grandchildren (both positively and negatively, but also hopefully privately
regardless).

------
teddyh
Original source: [https://computersweden.idg.se/2.2683/1.714790/1177-lackan-
in...](https://computersweden.idg.se/2.2683/1.714790/1177-lackan-
integritetshaveri)

------
ObscureScience
Their router admin page and ssh are also open to the internet.

------
jacquesm
So, who thought it was a good idea to record these in the first place and then
to store them on an internet facing server? It doesn't surprise me one bit
though.

~~~
jks
Recording the calls could even be a requirement. You call in to get medical
advice, then later decide the advice was wrong and sue them for malpractice.
Recordings of the calls could be crucial to deciding the case later on.

~~~
jacquesm
That's Sweden, not the USA.

~~~
ptaipale
Such requirements do exist in Sweden, too.

------
vectorEQ
hacking things together in an agile environment :') just deploy to production.
no worries! be happy!

~~~
pure-awesome
With the level of IT competence displayed here, I doubt they've even heard of
Agile.

------
dontbenebby
Why would you even record these calls indefinitely, without a deletion
schedule?

Were they recording _all_ calls, not just a subset to be audited for customer
service?

Why not have an auditor listen to the call live and destroy the recording if
everything is done by the book and evidence need not be retained?

~~~
NeedMoreTea
Medical advice over the phone?

What happens when someone dies, or gets worse? One of the first things you'll
want to know is what advice was offered. I would imagine they had to record
all, and keep for some preset period.

~~~
dontbenebby
Oh yeah, I don't think it's weird that it's recorded, but having it delete
after X days is so simple I'm shocked it wasn't implemented in a Nordic
country w/ strong privacy laws.

On the upside, at least it's probably harder to sift through that data to find
embarrassing and/or sensitive information than if it was textual.

(This is one reason that if I'm having a personal issue, I prefer to do a
voice call with a friend rather than use IMs like many in my generation are so
fond of)

------
mrintegrity
The site hosting this seems to be dead, probably from the load but hopefully
from action taken by the company now that it's public knowledge. Does anyone
have a list of the affected phone numbers? I would like to check if mine is in
there

------
aboutruby
The government can't fine itself I guess, so it would have to be the EU that
fines sweden? Or some kind of class action from swedes?

~~~
makkesk8
A class action is not likely. Most Swedes will probably see this as a minor
setback and just move on.

~~~
bjoli
My whole family (not affected, btw) is livid. I didn't even bring it to their
attention.

I am going to say the exact opposite: this will be one of the most widely
publicised health care scandals since forever.

~~~
makkesk8
I agree, it will definitely be the largest health care scandal in Sweden's
history, but it will most likely not end up with a class action lawsuit.

------
rb808
I'm not clear on why medical records are so sensitive. I can understand some
people might want to hide HIV status - but is there anything else? In the US
people have wanted to hide prior conditions from insurance companies, but I
wouldn't expect this a problem in Sweden.

~~~
marcinzm
STDs in general are sensitive since people may want to hide them or hide the
implications. Abortions are sensitive as well depending on the social group.

If you're underage you may especially want to hide those two from your parents
depending on the social group. If you're a woman you may also want those two
hidden from your family depending on the social group. Sweden has a large
refuge population from very conservative cultures and things like acid attacks
against women are decently common. So not keeping those thing hidden can get
you killed or horribly injured if you're in certain social groups.

~~~
OlleTO
> and things like acid attacks against women are decently common.

Wait, what? Where's your source on this.

Via google I can find references to one case from 1997 and one from 2002, and
that's it. The idea that this would in any way be "decently common" here is
preposterous.

~~~
NeedMoreTea
[https://en.wikipedia.org/wiki/Acid_throwing#United_Kingdom](https://en.wikipedia.org/wiki/Acid_throwing#United_Kingdom)

 _London Metropolitan Police showed a sharp rise in attacks, with 465 recorded
in 2017_

Particularly common in London, and amongst some immigrant communities. Other
countries are not so far behind, and I gather it is quite common in some of
the developing world, like India and Pakistan.

~~~
cc81
In the UK it seems it has mostly been a weapon among criminals more than a
honor thing that is more common in the developing world.

~~~
ptaipale
This probably is due to incentives - carrying a knife may bring a long prison
sentence, carrying a bottle of acid or lye as weapon did not. UK changed
sentencing guidelines last year.

[https://www.bbc.com/news/uk-43225911](https://www.bbc.com/news/uk-43225911)

