
2.7M phone calls to Swedish medical advice service laid open for anyone - estomagordo
https://computersweden.idg.se/2.2683/1.714787/inspelade-samtal-1177-vardguiden-oskyddade-internet
======
OskarS
This is... insane. 2.7 million phone calls, containing the most sensitive
information imaginable, just available on an unsecured server. Many of the
files indexed by phone number, making it trivial to look up any given person.
This has got to be one of the worst data breach in history.

The article contains a gold nugget in a partial interview with Davide Nyblom,
the CEO of Medicall, the company responsible. When asked for comment by the
magazine:

Davide Nyblom: "I've checked with our IT, what you're saying is not possible."

Reporter: "I have the files in front of me."

Davide Nyblom: "I've checked with our IT, and it can't happen".

Reporter: "Do you want me to play you one of the files?"

[hangs up the phone]

------
estomagordo
(Swedish language article)

Some context: In Sweden, one can dial 1177 to receive medical advice for
anything that isn't an urgent life and death situation. The trained medical
staff at the 1177 call centers give advice at the best of their ability, or
see to that the caller goes to an emergency room, schedules an appointment or
even has an ambulance, when applicable.

Now, some of these calls apparently get routed to an off-shore operation in
Thailand, were Swedish expat staff help out during off hours and such.

The publication Computer Sweden found that every call forwarded to this call
center laid open for anyone with internet access to download or stream. All
that was needed was a URL - there weren't even any password credentials
needed.

All in all, 2.7 million calls were affected, from 2013 and up until the very
moment Computer Sweden contacted the responsible company, and had them up
their security.

I can't even start to fathom the vastness of this breach of integrity.

------
bjoli
Fine them off the surface of the planet. This is just beyond bad. It is not
just something that happens. The amount of failsafes that should have
triggered before something like this should be so high that the probabilities
should be indestinguishable from 0.

Apparently it is only calls from three län (administrative regions), but only
because the others didn't use the service of the company in question.

------
filleokus
This must be one of the worst breaches I've ever heard of. Imagine if this
archive is leaked and someone made it searchable or something. I wonder what
the chances are that someone has downloaded this. Probably not that high, but
at the same time it was just plain old HTTP with directory listings and
waw/MP3 files. Not completely unfeasible that someone is crawling stuff like
that.

The URL was apparently
[http://188.92.248.19:443/medicall/](http://188.92.248.19:443/medicall/).

------
yaris
It’s not the first time when swedish gov/public organizations show that they
don’t have any notion of security in their world view.

------
aboutruby
Duplicate with
[https://news.ycombinator.com/item?id=19191241](https://news.ycombinator.com/item?id=19191241)

------
pointingout
Sweden is joke when it comes to privacy. Yes, in Sweden GDPR applies, but in
practice is not applied at all. Just type in Google the name of any resident
in Sweden and you´ll get a bunch of companies providing information about full
name, address, picture and directions to where they live, indications of where
to turn, right, left, to go to the flat where the person lives, how much they
make, whether they are married or not, own a car, a house an apartment, etc.
All because the public agencies sell personal information which has not been
anonymised. The Swedish Data Protection agency is another joke. Have they said
anything about this? I wonder if they are going to do anything at all.
According to the GDPR the region government as well as any other company or
organisation should have contracts in place with reliable providers and they
are responsible when going into a contract with some one who is not reliable,
so the 1177, the region government, Medicall, etc, they are equally
responsible.

~~~
yaris
While you are right that data like your address is freely available it should
be mentioned that data like your income is a bit more ”protected”. One has to
pay for it (and AFAIK there is a limit on the number of items a private person
can buy) and the person whose data is queried is notified about such query
(who asked what). Also some info is not so detailed as it may seem first. What
does it give you if I say that I own a Volvo in the country where 30% of cars
are Volvo? EDIT: spelling

------
techslave
does Sweden have a HIPAA equivalent? if not, is it something that would have
been applicable?

~~~
OskarS
I'm not a lawyer, but I presume Sweden has laws governing patient privacy.
Even if not, Sweden certainly has the GDPR.

~~~
yxhuvud
PUL might apply too.

~~~
hedwall
GDPR replaces PUL

