Yet Another Unprotected Server Exposes Medical Data
We've established already that people aren't nearly as careful as they should be when it comes to securing their personal data. Nevertheless, most users realize that they hand over quite a lot of sensitive information on a daily basis, and they at least try to ensure that they're not giving it to someone they don't trust. For example, people who call 1177, a phone number in Sweden through which you can get medical advice for free, are pretty sure that the nurse on the other end of the line won't try to misuse their data. And rightly so – there's no evidence that the medical personnel taking the 1177 calls has done anything to put the sensitive information at risk. Despite this, however, some of it still ended up exposed.
2.7 million private calls left out in the open
Between 2013 and last week, the people of three Swedish regions, Stockholm, Södermanland, and Värmland, made millions of calls to 1177. 2.7 million of these calls were converted into either MP3 or WAV files and were placed on a server that was not protected by a password.
That's more than 170 thousand hours of calls discussing the health of Swedish people and their children. And they were accessible to anyone with a browser and an internet connection.
Who gets the blame?
There's nothing wrong with the fact that the phone calls were recorded. Many organizations, and this includes the ones working in the healthcare sector, do this to ensure a higher quality of the service. The fact that such a vast amount of sensitive information was not protected in any way, however, is horrifying to say the least. Computer Sweden, the Swedish online magazine that discovered (link in Swedish) the exposed server, wanted to know who's responsible. It's a bit more complicated than you think.
On a national level, the 1177 service is supported by Inera, a company working with local councils and municipalities to provide communication solutions that benefit regular people. In 18 of Sweden's 21 regions, Inera is responsible for everything, including the telephony infrastructure and handling of the data. In Stockholm, Södermanland, and Värmland, however, a company called Medhelp takes the 1177 calls. Not always, though.
Computer Sweden's report says that sometimes, the calls are forwarded to Medicall, a subcontractor that is registered in Thailand. Medicall processes calls with the help of Biz 2.0 – the cloud-based call center system that ultimately ended up putting the 2.7 million audio files on an unprotected server. It's still unclear whether this all happened because someone made a mistake while configuring the telephone system or whether Biz 2.0's design prohibited a more secure way of storing the data. Whatever the cause, the results are clear. Thankfully, shortly after Computer Sweden contacted the responsible companies, the server was secured, and Tommy Ekström, the CEO of the company that developed the call center software, vowed to make sure that such a thing never happens again.
Trust is not enough these days
Unfortunately, this incident can serve as a good reminder of a sad fact of everyday life in the 21st century. As we mentioned already, when you're forced to share personal information, you try to ensure that you give it only to people and companies that will handle it with care. Usually, however, other parties are involved, and you don't necessarily know about them. Often, you don't know who these parties are, and you can never be sure that they're doing enough to keep your information safe.