2.7 Million Patient Phone Call Recordings Left Exposed Online (thenextweb.com) 45
Slashdot reader krenaud tipped us off to this story from The Next Web:
The audio recordings of 2.7 millions calls made to 1177 Vardguiden -- Sweden's healthcare hotline -- were left exposed to anyone online, according to Swedish tech publication Computer Sweden. The 170,000 hours of incredibly sensitive calls were stored on an open web server without any encryption or authentication, leaving personal information completely exposed for anyone with a web browser....
The calls included sensitive information about patients' diseases and ailments, medication, and medical history. Some examples had people describing their children's symptoms and giving their social security numbers. Some of the files include the phone numbers the calls were made from. Around 57,000 numbers appear in the database and many of those are the callers' personal numbers, making it easy to match information with a particular person.
When reached for comment, the CEO of the subcontractor receiving the calls "denied it happened."
The calls included sensitive information about patients' diseases and ailments, medication, and medical history. Some examples had people describing their children's symptoms and giving their social security numbers. Some of the files include the phone numbers the calls were made from. Around 57,000 numbers appear in the database and many of those are the callers' personal numbers, making it easy to match information with a particular person.
When reached for comment, the CEO of the subcontractor receiving the calls "denied it happened."
Re: (Score:3)
it's dangerous for the numbered to have their person-numbers be widely known
I got an idea: can't we tattoo the number on left arm? That'd be secure against hacking unless someone sees you or a photo without a long sleeve.
Other ideas would be the forehead (never tried AFAIK) or right hand (semi-popular as implanted RFID).
Re: (Score:3)
If you're looking for one place to put everyone's mark of the beast, er I mean RFID tag or QR code, it clearly has to be somewhere on the head, neck, or upper torso, because all the other parts are optional.
Re: (Score:3, Informative)
Secrecy/security is not the issue here (Score:5, Informative)
The Social Security numbers (or directly translated from Swedish, the Personal Number), are not considered secret in Sweden and that is not the issue here. In fact it contains the date of birth and is printed on your drivers license so you can show that when you need to verify your age.
The problem is that they were talking about sensitive medical information, and with the Personal Number you could much easier connect that information to the correct individual. That is the whole issue here.
Re: (Score:2)
The problem is that they were talking about sensitive medical information, and with the Personal Number you could much easier connect that information to the correct individual. That is the whole issue here.
That's a bit of an understatement, that number is the best identifier possible. I'm from Norway but it's pretty similar here, we all have a number which everything is tied into... bank accounts, all employers that pay taxes, insurance, social security, everything in healthcare, car registry, property registry, criminal history, military service record, everything that runs a credit check, e-billing, public education, all sorts of public forms in short the number itself is stored so many places it wouldn't b
Re: (Score:1)
The Social Security numbers (or directly translated from Swedish, the Personal Number), are not considered secret in Sweden
Presumably because Sweden doesn't have Social Security?
Public file listings (Score:2)
Just like with the ongoing barrage of S3 'leaks', this is only an issue because it's too easy to accidentally enable public file listings in servers.
Re: (Score:1)
The calls should not have been recorded in the first place.
Re: (Score:2)
I'm going to take a wild guess that the calls were recorded for one of (or perhaps all) of the following reasons:
1. Government mandate. We are talking government-run healthcare, after all, and we know how governments love to keep treasure troves of data on its citizens.
2. Liability, especially in a malpractice suit. You can show that the caller didn't "provide enough information to allow for proper advice to be administered, so, your honor, the heart attack isn't our fault."
3. Quality assurance and training
Re: (Score:2)
Its proximity defies the laws of "psychics".
That's what interesting means, Kendall. (Score:1)
"However, it seems the leaked calls were all made to 1177 Vårdguiden’s subcontractor Medicall — a Thailand-based company owned by Swedes. When asked about the breach, Medicall CEO Davide Nyblom denied it happened despite the overwhelming contradictory evidence."
-Start right there.
The contents are safe though (Score:4, Funny)
It's a good thing that the recordings are obfuscated in Swedish. We'll never be able to decrypt that
Re: (Score:2)
Linus Torvalds
Breach Fatigue (Score:3)
Let's face it: it's all out there by now. Everything. Whatever can be harvested or datamined has been, and all of that has been subsequently leaked/stolen/sold.
Re: (Score:1)
Yip and the worst thing is, that you only have to put up that warning if you use cookies beyond a session-id for the website itself.
Which means that either those website where dumb to show the cookie warning, or they are indeed using those cookies to track you beyond the website.
Re: (Score:2)
But if everyone has our data shouldn't that devalue it?
I'd like to think so, but we keep generating new data. It's getting harder and harder to convince businesses who demand an e-mail address that I really don't have one. Or I have to make one up. I wonder if I ever made up a valid e-mail address that belonged to someone else. Sorry about the spam if I did.
This is some next level incompetence stuff (Score:5, Interesting)
This writeup highlights some of the mind-boggling explanations from management:
https://medium.com/@rikardhjor... [medium.com]
My favourite:
"That someone probably, when updating at some point, seen that there was a free networking cable slot, and I guess they thought, some technician: ‘Aha, there should probably be a cable here, but it fell out [sic]’, and then they have connected a networking cable, so that it’s become connected to the Internet. That is just, like, how you do these things" - CEO of Voice Integrate Nordic AB
Re: (Score:1)
If it were the case he and everyone associated with this just signed their own professional death warant. How in the hell do you put a server (assuming it was one and not a cluster), in a datacenter where people are permitted to do that? The datacenter would be entirely liable. That doesn't even get into why in the hell their switches are not locked down which would have also prevented his excuse.
Who am I kidding. We've outsourced Health care in Canada too and is fucking disgusting how little Telus (
Re: (Score:2)
Almost makes it funny, if it wasn't so serious.
Re: (Score:2)
Incompetent persons wandering around between servers doing damage is one thing. Storing all your sensitive data on an open browsable webserver which only protection is "not being plugged in", doesn't make things that much better.
Vårdguiden (Score:1)
Come on, it can't be that hard to get accents right.
By strange coinidence (Score:1)
The new Cortana nurses aide smart assistant, trained on an unknown medical corpus, speaks with a Swedish accent
They're taking action (Score:1)
Don't worry. The responsible party, Medhelp, are springing into action. They have filed a police report against Computer Sweden for the intrusion.