Swedish Healthcare Guide, a telephone service that provides Swedes with healthcare information, is likely to be in breach of GDPR after it was discovered that 2.7 million unique voice recordings from the service had been left on an unencrypted, publically accessible server.
The server, which was used to store recordings of phone calls to the Swedish Healthcare Guide service in real-time, held over 170,000 hours of calls. Some dated back as far as 2013.
Many of the calls include the discussion of sensitive healthcare details, while some include social security numbers. A small percentage of the files even include phone numbers in the file names.
The data was available online without any form of password protection or other security, meaning anyone who came across it was able to download and listen to the calls.
Given the sensitive nature of the calls, and the onus on personal data security under GDPR, it is highly likely that Swedish Healthcare Guide is in breach of the regulation.
Swedish Healthcare Guide “should be held accountable”
The leak, which is likely to have impacted a large percentage of the 10 million people living in Sweden, is a particularly severe example of the consequences of mishandling personal data.
“For a breach like this to occur in the healthcare industry is rather shocking as it’s known for handling sensitive data, and organisations can look to the HIPAA regulation as a standard even when it doesn’t apply to them,” commented Anjola Adeniyi, technical account manager at Securonix.
Given the severity of the leak, regulators would have good justification to bring the full force of GDPR down on the service.
“It’s often said that Sweden tops the world rankings for best healthcare, however in this instance the Swedish Healthcare Guide service has failed in its corporate governance and duty of care to its patients and citizens,” said Adeniyi.
“GDPR has a clear stance on how personally identifiable information should be handled, which the Swedish Healthcare Guide service has failed to meet and consequently they should be held accountable.”