Total fine in the amount of EUR 1 258 478 applied by Swedish Authority for Privacy Protection to Medhelp and Voice Integrate for the recorded phone calls to the medical consultation service, 1177, which were available and unprotected on the Internet

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of of 12 million SEK (1 193 813 €) applied by Swedish Authority for Privacy Protection (IMY) Medhelp and about the administrative sanction towards Voice Integrate of 650 000 SEK (64 665 €) for the recorded phone calls to the medical consultation service, 1177, which were available and unprotected on the Internet.

In 2019, Swedish media reported that recorded phone calls to the Swedish medical consultation service, 1177, had been available without password protection or other security measures on a web server. IMY, the Swedish DPA, initiated first an investigation of one of the organisations involved in the service. Subsequently, the investigation was extended to include overall six organisations: three companies and three regions in Sweden. 1177 Vårdguiden is a medical service that is offered and owned by all 21 regions (counties) in Sweden. It is a service that gathers information about health and medical care and is available online as well as over the phone. Every call to the phone number 1177 is first directed to the company Inera who administers and develops the joint systems. Calls to 1177 from the regions of Stockholm, Sodermanland and Varmland were at the time of the incident connected through Inera to the company Medhelp AB who answered the calls.

Recently, the Swedish Data Protection Authority finalized its investigation. The cause of the incident was that a network attached storage unit had been incorrectly configured and was thereby accessible on public internet. In addition, the unit did not use encrypted communication. Consequently, a vast amount of calls became available without password protection or other security protection. The only thing that was necessary in order to get access to the files with the phone calls was to know the IP address of the storage unit.

Further to the contraventions that were established, the IMY has issued an administrative sanction of 12 million SEK (1 193 813 €) towards Medhelp. In addition, Voice Integrate, in its role as personal data processor, had an obligation to take appropriate and adequate measures to protect the files with recordings that the company handled on behalf of Medhelp. Therefore, IMY has issued an administrative sanction towards Voice Integrate of 650 000 SEK (64 665 €).

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.