What happened?
According to International Data Group (IDG)’s Swedish tech site Computer Sweden (CS), the recordings of 2.7 million calls made to Swedish healthcare advice line Vårdguiden 1177 were stored as WAV audio files on an unsecured server [1]. The 170,000 hours of sensitive phone calls could be traced back to 2013 and the data was without encryption or authentication [2]; anyone could download these audio files and listen to, a lot of patients’ personal information was completely exposed in an unsafe situation. The CSO of a Swedish cybersecurity company said that this incident was likely the worst privacy breach in Sweden in modern time [2].
How did it happen?
The technical support for hotline 1177 was provided by a Swedish company—Inera, who offering expertise in digitization [3]. However, Inera made a statement on their website that they only in charge of 18 of 21 regions in Sweden, phone calls from the remaining 3 regions were managed by a subcontractor that did not use Inera’s systems [4]. This relevant subcontractor Medhelp outsourced the business to a third company named Medicall, which is a Swedish company based in Thailand. Medicall was the actual recipient of the patient calls via the 1177 healthcare guide from Stockholm, Södermanland, and Värmland. The data leaked in this incident is from these regions [4].
How to exploit the vulnerability?
Medicall used a cloud-based call center system and saved the recordings on this server at the IP address http://188.92.248.19:443/medicall/ [4]. TCP port 443 means that the text transfer is over https, it should be secure, but the session was not encrypted. As a result, anyone acquired the IP address could simply access the stored data by typing it in the address bar of any web browser. Once you gained access to the database, you could browse the data that back to 2013 and even download that. The following is a video on YouTube that uploaded by CS reporter about how to exploit the vulnerability.
https://youtu.be/KSz4y6ylcCY
Why is it serious and how serious?
These audio files include sensitive information such as patients’ diseases, medication and medical history [2]. The importance of medical history is self-evident. Moreover, callers to the hotline always describe their symptoms and provide their social security numbers [2]. In addition, the data processor marked several files with the callers’ phone number in the file name [4]; as a result, it is easily matching individuals’ personal information and their phone number by browsing this database. This open data put patients at risk; furthermore, it has highly possible result in social disorder. More than that, it is not just a threat to individuals’ privacy and confidentiality, it breaks the Swedish regulations and legislation. According to article 32 of the General Data Protection Regulation (GDPR) in Euro, the personal information processing organization should ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services [5]. Obviously, Medicall did not meet the requirement of the legislation especially for the confidentiality; it needs to take legal responsibility and may face severe punishment.
Who is affected and who may be affected?
Fortunately, Medhelp has shut down the server; however, ever since the vulnerability been discovered, 55 call files have been illegally downloaded from 7 different IP addresses [2]. So far, we have no information about the effect result from this incident, but there are potential threats under this situation. Based on the information reveal by the CS, 57,000 Swedish telephone numbers appear in the database, this is a significant amount of data. Once all of the data is leaked, the consequence will be unimaginable, lots of people will be involved.
How might similar problems be prevented in the future?
To prevent similar problems in the future, suppliers should concern more about the service environment that provides by their subcontractors. As we mentioned above, the call recordings from the 18 regions that in charge of the Inera are secure in this breach; as a result, data collecter should learn from this incident to do more test on their subcontractors to reduce the risk. In addition, each institution who have rights to access and store personal information should pay more attention to the security of their data storage.
Discussion:
1. Nowadays, a variety of data is becoming increasingly digitalized, how the data collector protect people’s private data; how can we protect our personal information?
2. Do you think the data processing company Medical should take full responsibility to this breach or people have responsibilities to protect their private information?
Citations:
[1] https://thenextweb.com/eu/2019/02/18/2-7-million-patient-calls-to-swedish-healthcare-hotline-left-unprotected-online/
[2] https://www.healthcareitnews.com/news/swedish-healthcare-advice-line-stored-27-million-patient-phone-calls-unprotected-web-server
[3] https://www.inera.se/om-inera/ineras-uppdrag/
[4] https://computersweden.idg.se/2.2683/1.714787/inspelade-samtal-1177-vardguiden-oskyddade-internet
[5] http://www.privacy-regulation.eu/en/article-32-security-of-processing-GDPR.htm
