Administrative fine of SEK 35 million against Trygg-Hansa

After receiving a tip, IMY started an investigation of the insurance company Trygg-Hansa (then Moderna Försäkringar). The person who contacted IMY had received an email from the company with a link to a web page with price quotes. On this web page, there were clickable links with URLs that led to documents with insurance information. However, the person noticed that it was possible to access other policyholders' documents, without any kind of login, by simply replacing a few numbers in the web link.

– The documents that have been accessible to unauthorized persons have in some cases contained sensitive personal data, including information about health that also had a high level of detail, so that it was possible to find out, for example, how a health problem arose or details about a health condition. All in all, the large amount of personal data has made it possible to create a clear picture of a person's private circumstances, says Evelin Palmér, legal advisor at IMY.

Possible to access data for more than two years

IMY's supervision has shown that it was possible to access customer data for 650,000 customers during the period October 2018 to February 2021. Among the customer data, in addition to data on health, there is also other data such as financial information, contact details, social security numbers and insurance holdings.

In its decision, IMY states that the deficiencies have been of such a fundamental nature that Trygg-Hansa should have had the opportunity to discover and remedy these even before the relevant IT system was introduced and in any case during the long period that the system was used.

IMY concludes that Trygg-Hansa has not taken appropriate technical measures to ensure a level of security that is appropriate in relation to the risk. The authority therefore issues an administrative fine of SEK 35 million against the company.