It has been reported that a server used to store real-time recordings of phone calls made to the 1177 Swedish Healthcare Guide service for health care information was found completely exposed to the Internet, with no user or password to protect it. Millions of call recordings were left on an open web server that could be accessed with no password, with the conversations going back to 2013, with around 170,000 of them left out in the open.
2.7 million patient calls to Swedish healthcare hotline left unprotected online
The audio recordings of 2.7 millions calls made to 1177 Vårdguiden — Sweden’s healthcare hotline — were left exposed to anyone online, according to Swedish tech publication … https://t.co/oUYlNbgZQR— Q Malik Fulton (@QMalikFulton) February 18, 2019
Experts Comments below:
Adam Brown, Manager of Security Solutions at Synopsys:
“The exposure of these call recordings is down to a security misconfiguration, and these kind of issues are well known and currently rank at number 6 in the OWASP top 10 which documents the most critical software security flaws today.
The company has applied some security measures and is using HTTPS; however this can offer no protection in this scenario. To avoid these kind of issues, firms must have policy and process to continually monitor the security of production systems, and any findings from that process must be addressed and not simply left as a growing bug pile.
Article 32 of the GDPR states that organisations must implement secure processing, taking into account the state of the art. This doesn’t look the data processor has a defensible position in this case.”
Martin Jartelius, CSO at Outpost24:
“This is likely the worst privacy breach in Sweden in modern time. Looking at the breach, it is due to not only lapse security, but a complete lack of any form of protection. The same company also expose other outdated and very weakly protected services to internet, some so outdated a modern system will not even be able to connect to them. The system has been exposed for a long period of time. Attached is a screenshot of what the server looked like 16th of February 2019 (Image 1 in the attached).
“The device is a NAS device, and rather outdated on software. Other examples include unencrypted administration of an exposed router, exposed log management solutions and much else (Image 2 in the attached).
“To summarise, this is the exact kind of system for which the GDPR should matter and why privacy needs to be taken seriously. Furthermore, it is so upsetting to note that someone who takes the right and obligation to record our most private conversations have both a legal and ethical responsibility to keep this data safe – and they failed. Not because of an advanced attack, but for lack of even trying.”
Anjola Adeniyi, Technical Account Manager at Securonix:
“It’s often said that Sweden tops the world rankings for best healthcare, however in this instance the Swedish Healthcare Guide service has failed in its corporate governance and duty of care to its patients and citizens.
GDPR has a clear stance on how personally identifiable information should be handled, which the Swedish Healthcare Guide service has failed to meet and consequently they should be held accountable.
For a breach like this to occur in the healthcare industry is rather shocking as it’s known for handling sensitive data, and organisations can look to the HIPAA regulation as a standard even when it doesn’t apply to them.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.