Investigation of 1177-incident finalized
In 2019, Swedish media reported that recorded phone calls to the Swedish medical consultation service, 1177, had been available without password protection or other security measures on a web server. IMY, the Swedish DPA, initiated first an investigation of one of the organisations involved in the service. Subsequently, the investigation was extended to include overall six organisations: three companies and three regions in Sweden. The IMY has now finalized its investigation.
“It has been a complex investigation to sort out the connection between the regions and the medical consultation service 1177 as well as the distribution of responsibilities between the different organisations”, says Magnus Bergström, IT security specialist at IMY and part of the investigation team.
1177 Vårdguiden is a medical service that is offered and owned by all 21 regions (counties) in Sweden. It is a service that gathers information about health and medical care and is available online as well as over the phone. Each region carries out its own medical consultation activity either themselves or through subcontractors, but they all form part of one national network.
Every call to the phone number 1177 is first directed to the company Inera who administers and develops the joint systems. Calls to 1177 from the regions of Stockholm, Sodermanland and Varmland were at the time of the incident connected through Inera to the company Medhelp AB who answered the calls.
Medhelp, in turn, had contracted a Thai company Medicall Co Ltd to handle calls to 1177 that came in at night and on weekends. Medhelp and Medicall had entered into a contract with a technology company, Voice Integrate Nordic AB, for switchboard functionality and recording of phone calls. Recordings of the phone calls that were forwarded to the company in Thailand were available on the Internet from a storage server kept by Voice Integrate.
The cause of the incident was that a network attached storage unit had been incorrectly configured and was thereby accessible on public internet. In addition, the unit did not use encrypted communication. Consequently, a vast amount of calls became available without password protection or other security protection. The only thing that was necessary in order to get access to the files with the phone calls was to know the IP address of the storage unit.
“There are two parties that are responsible for the incident: Medhelp and Voice integrate”, Magnus Bergström says.
Medhelp is the medical care provider and personal data controller. In this capacity, they are the ones accountable for taking appropriate technical and organisational measures in order to ensure an adequate level of security to protect personal data – in this case voice recordings – so that unauthorized persons cannot get access to them.
Furthermore, the company has not provided the persons calling 1177 with information according to the rules in the GDPR and the Patient Records Act, for example how their personal data will be processed and that Medhelp is the data controller.
Medhelp has also outsourced tasks involving health and medical care and personal data processing to the Thai company Medicall, which does not fall under Swedish legislation on health and medical care, nor do they fall under the obligation of secrecy in health and medical care laid down by law. This is a breach of the GDPR’s principle of lawfulness.
Further to the contraventions that were established, the IMY has issued an administrative sanction of 12 million SEK (1 193 813 €) towards Medhelp.
In addition, Voice Integrate, in its role as personal data processor, had an obligation to take appropriate and adequate measures to protect the files with recordings that the company handled on behalf of Medhelp.
The Data Protection Regulation, the GDPR, lays down obligations also for processors, i.e. companies or others that process personal data on behalf of someone else. One of those obligations is that the processor must take appropriate security measures in order to protect personal data. This is of particular importance when it comes to health data.
Therefore, IMY has issued an administrative sanction towards Voice Integrate of 650 000 SEK (64 665 €).
IMY also criticizes the three regions for not having provided sufficient information to those seeking medical care by calling 1177. IMY has issued administrative sanctions of 500 000 SEK (49 740 €) towards Region Stockholm and 250 000 SEK (24 871 €) each towards the other two regions, since the lack of information in these two cases were not as severe as in the Region Stockholm case.
After the incident had drawn attention in mass media, the IMY received notifications of a personal data breach from several of the organisations involved.
“It is only the controller, in this case Medhelp, who must notify a personal data breach to the supervisory authority. The fact that we received several notifications indicates that there has been uncertainty about the responsibility between the different parties. Clear distribution of responsibility is crucial in order to obtain a high level of security”, says Magnus Bergström and adds:
“There are several lessons to be learned from this incident. As a controller, you must keep control over your processors and make sure that they fulfil their obligations. Processors have their own obligations to live up to, such as having adequate technical and organisational security measures in place to protect personal data. It is also crucial that organisations continuously work on IT-security, regardless of whether they deal with sensitive health data or not.”