Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)-MedHelp AB (6/7/2021)

In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network.
In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures.
All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sörmland and Värmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate.
The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability.

The Swedish DPA found that MedHelp had failed to take appropriate technical and organizational measures to ensure an adequate level of security to protect personal data so that unauthorized persons could not access it. Similarly, MedHelp had failed to properly inform callers about the processing of their personal data in accordance with Art. 13 GDPR.

In addition, the DPA finds the outsourcing of the processing of personal data to Medicall to be a breach of the legality principle set out in the GDPR. This is because Medicall is not covered by Swedish health and medical legislation and is therefore not subject to the legally regulated confidentiality obligation that exists in the Swedish healthcare sector.