Files were stored on a server using HTTPS but requiring no credentials. http://188.92.248.19:443/medicall/ Part of the calls were saved as .mp3s with the customers phone number as file name. CEO when confronted wouldn't believe it and hung up when the reporter asked if he could play one of the tapes.
The articles states that the server was a NAS (nas.applion.se).
All files have been available since 2013.
When calling 1177, there's no need to identify yourself with your personal identity number. You can if you want to if your medical history is of significance to your call.
Source: Am swede and this article... https://computersweden.idg.se/2.2683/1.714787/inspelade-samt...
And I want you guys to hear it from me before you hear it on the streets... I once called 1177 wanting to order a new pair of knees because one of mine hurt. The nurse who answered had a good laugh.
"Tror ni inkompetensen är över? Nej. Man har inte dragit ut sladden. Kör wireshark och skicka skräppacket så ser ni att det enda som filtreras är syn-ack från servern.Slumpade seq-nr i respons bara någon timme och upprättade till slut en anslutning. Vad tror ni jag ser? Färska samtal från bara några sekunder sen i mappen /2019/."
Translates to: Do you think incompetence is over? No. They have not pulled out the cable. Run wireshark and send junk packets and you will see that the only thing that is filtered is syn-ack from the server. Sent random seq-no in response for an hour and finally made a connection. What do you think I see? Fresh calls from just a few seconds ago in the folder / 2019 /.
Their business idea was to handle calls that were placed in inconvenient hours, relative to Swedish business hours.
My best guess is that the Thai ISP this office used filtered all outgoing connections except port 80 and 443.
And then someone decided that the way to implement this securely while still allowing this office to access the data was to put a plain HTTP server on port 443. "Who is ever going to crack that?"
No authentication for clients either.
The cause of technical breaches falls onto a sliding scale in my mind. That scale goes from pure technical negligence to overbearing technical complexity.
This breach seems like pure negligence. In a surgery this wouldn't be "complications", it would be malpractice. Does GDPR protect those breached here? What recourse do these people have?
We really need to change the narrative around data. It should be a liability. Unlike other disruptions software drives, this will need to be driven by governments.
Breach against patientdatalagen and GDPR
Shall be encrypted so that the patients identity are protected.
"Uppgifter om en patients identitet som har dokumenterats inom hälso- och sjukvården och som landstingen ska sambearbeta med sådana uppgifter som avses i första stycket, ska vara krypterade så att patientens identitet skyddas vid behandlingen. Lag (2013:1024)." "Information about a patient's identity that has been documented in the health and medical care and which the county councils are to co-operate with the information referred to in the first paragraph, shall be encrypted so that the patient's identity is protected during the treatment. Swedish law (2013: 1024)"
Transfer of personal data outside EU Tredjelandsöverföring. "Transfers of personal data to third countries or international organisations" Thailand is not on the list of authorized countries. https://gdpr-info.eu/chapter-5/
The GDPR section about sensitive data records * medical records.
Den personuppgiftsansvarige ska genomföra lämpliga tekniska och organisatoriska åtgärder för att, i standardfallet, säkerställa att endast personuppgifter som är nödvändiga för varje specifikt ändamål med behandlingen behandlas. Den skyldigheten gäller mängden insamlade personuppgifter, behandlingens omfattning, tiden för deras lagring och deras tillgänglighet. Framför allt ska dessa åtgärder säkerställa att personuppgifter i standardfallet inte utan den enskildes medverkan görs tillgängliga för ett obegränsat antal fysiska personer.
Further persons working at tillsyndsmyndigheter may have done "Tjänstefel", that is fault committed by a public sector official servant that is not minor. 20 kap. Om tjänstefel m. m. "Section 1 Anyone who intentionally or negligently neglects the exercise of authority by action or omission shall be sentenced for misconduct for fines or imprisonment for a maximum of two years. If the act, having regard to the perpetrator's powers or the task's relation to the exercise of authority in other respects or to other circumstances, is to be regarded as poor, shall not be held liable."
Failure to run a network security scanner, failure to encrypt sensitive data records, failure to use passwords, failure to limit access to sensitive records
I feel absolutely betrayed by the state. I always knew that Sweden's obsession with medical data collection would back-fire but audio recordings? That's just too much.
I hope everyone involved gets sued into oblivion!
I have _REALLY_ serious info in there, and so do members of my family, that can not get out. But it's effing public, and the CEO of the company responsible is handling it like an asshole and Stockholms Landsting will just add it to the pile of fuckups.
It would literally take less than a minute for a red team with IP adresses to find this out, if they ever so much as cared to consider IT-security. Why doesn't the local government force subject the companies they hand contracts to to that?
Governments just don't follow their own rules. This means that medical files just aren't trustworthy anymore, in the sense that the patient has no control over who sees these and how far they are sent.
I could say "this is a problem in the Netherlands, Belgium, UK and US" where I know the situation is that essentially any doctor or medical staff anywhere can see everything in your file, related or not (e.g. in Belgium a pharmacist getting a woman's birth control prescription can see if they were ever treated in psychiatric care. Hell, the way the system looks, it'd literally be hard for the pharmacist not to notice). These files can even be used against you in a court of law, for example by child services.
Not that all these countries aren't very busy introducing new ways to have the state do whatever they want to do without judicial intervention (Belgium "GAS boetes" and "snelrecht", Netherlands "ZSM"), and just not care how much damage is caused to save a few bucks.
So what are you to do as a patient ? You cannot have this file destroyed, because these people have exceptions to every known privacy law. You can usually in theory have it corrected, but the system these governments put in place is fragmented into hundreds of pieces and nobody knows how it works, so good luck. Additionally actually getting them to cooperate even using an order from a judge is near impossible, and the systems may literally not support corrections in some cases.
At this point the only advice you can give is to please ask every doctor you ask to not make any notes or files on you at all, and just deal with that. "I travel a lot and this just causes trouble" is a useful phrase in that regard.
It isn't really something hidden. In fact I would say that the whole idea is well supported by a significant part of voters who do not want government to do things, nor have restrictions on companies. If we limit the scope to just politics, Stockholm County had probably the most prominent scandal in the last couple of decades with Nya Karolinska, yet essentially lost no voters in the last election.
It is easy to blame politicians, the government or even companies. But at the end of the day there aren't enough people requesting quality or responsibility.
[0] https://www.medhelp.se/outsourcad-1177-tjänst-är-effektivast [1] http://www.medicall.nu/hem-1.aspx [2] https://www.voiceintegrate.com/se https://www.applion.se/
Imagine becoming a public person in the future with random russian mobs blackmailing me based on me and my family's medical history.
Is this an assumption, or were you able to find a list of leaked calls somewhere?
Slightly pissed of Swede who called 1177 just last week here. Still I'm glad this happened after GDPR, this means everyone who's personal details were compromise should have plenty of legal options right now.
https://www.dn.se/sthlm/medhelp-polisanmaler-tidningen-compu...
Were they recording all calls, not just a subset to be audited for customer service?
Why not have an auditor listen to the call live and destroy the recording if everything is done by the book and evidence need not be retained?
What happens when someone dies, or gets worse? One of the first things you'll want to know is what advice was offered. I would imagine they had to record all, and keep for some preset period.
On the upside, at least it's probably harder to sift through that data to find embarrassing and/or sensitive information than if it was textual.
(This is one reason that if I'm having a personal issue, I prefer to do a voice call with a friend rather than use IMs like many in my generation are so fond of)
Class action doesn't exist in all country though. Each person that want to sue the government might have to do it in his own name.
I am going to say the exact opposite: this will be one of the most widely publicised health care scandals since forever.
It's a deep-seated tendency in mammals to hide sickness, and therefore the confidentiality in healthcare settings is essential to get people to seek care in time.
If you're underage you may especially want to hide those two from your parents depending on the social group. If you're a woman you may also want those two hidden from your family depending on the social group. Sweden has a large refuge population from very conservative cultures and things like acid attacks against women are decently common. So not keeping those thing hidden can get you killed or horribly injured if you're in certain social groups.
Wait, what? Where's your source on this.
Via google I can find references to one case from 1997 and one from 2002, and that's it. The idea that this would in any way be "decently common" here is preposterous.
You can be blackmailed because you have or had a "shameful" disease, a potential employer can deny you a job because you were too often sick for his own taste, insurance might deny you because you have a too risky profile, ...
Kind of a rough argument, but maybe it's just because they have never been beaten or harassed over something about their medical history. Which is good for them, but not the world most of us live in.
Even worse, people with dementia are prone to being scammed. We need to do everything possible to stop adversaries and scammers from having a list of people with neurodegenerative disease. Unfortunately, most people have little fear of their health data being hacked and hospitals have little incentive to protect it. Although I hear things are "getting better," the protection of you health data remains in a terrible state.
