According to a report by Swedish tech publication Computer Sweden, reporter Lars Dobos found 2.7 million recorded phone calls to the national health information 1177 Vårdguiden (Sweden’s healthcare hotline) left unprotected and available for anyone on the web to hear.
Las Dobos said that the millions of call recordings were left on an open web server that could be accessed with no password, with the conversations going back to 2013, with around 170,000 hours worth of sensitive calls were left out in the open.
At the time he discovered it, new call being added in real-time, meaning that the database was active.
Computer Sweden have analyzed some of the recordings, and found that the calls included sensitive information about patients’ diseases and ailments, medication, and medical history.
There are also some recordings about parents describing their children’s symptoms and giving their social security numbers.
Some of the files include phone numbers the calls were made from, with around 57,000 numbers appear to be the callers' personal number.
The leaked database were all made to 1177 Vårdguiden’s subcontractor Medicall, a Thailand-based company owned by the Swedes.
Medicall's services were called upon by MedHelp, a Swedish company which provides "remote care and services such as healthcare counseling." And MedHelp is the company that runs the 1177 Care Guide service under an agreement with Inera, a company owned by Swedish county councils, regions, and municipalities, which "coordinates the development and management of joint digital solutions that benefit the general public, and employees and decision-makers."
The scale of the potential damage is almost imaginable. Since the audio files have been openly available for at least 6 years, there is no saying who has ever downloaded the information within.
Computer Sweden has carried out the review with ethics in the first place, saying that it has reduced the public's exposure by ensuring that the pages have seen secured before it publishes its finding.
"At the same time, it has been necessary for us to take part of very sensitive information to verify the content and scope. We have listened to a few calls and we have performed an automatic scan of all the files on the server to count both the number of calls and the number of telephone numbers that appear in the database," said Computer Sweden.
According to Bleeping Computer, the server was based on the Apache HTTP Server version 2.4.7, released during 2013. Using the Shodan search engine, it shows that server was available at nas.applion.se, which impacted by roughly 23 vulnerabilities with CVEs assigned between 2013 and 2018.
What this means, even if the unprotected server wouldn't have been left to internet without any protection, it would have most likely still get hacked at some point in time.
While recording calls is already common, the fact that the calls have been exposed to the internet without any protection is definitely a serious problem, considering GDPR regulations and Swedish patient protection laws.
During a phone call with Dobos, the CEO of Voice Integrate Nordic, Tommy Ekström, stated that "This is catastrophic, it's sensitive data. We had no idea that it was like this. We will, of course, review our systems and check out what may have happened."
Following the data leak report, MediCall has either shut down or blocked access to the database, making it no longer accessible over the internet.