2.7M medical calls breached in Sweden(twitter.com) |
2.7M medical calls breached in Sweden(twitter.com) |
Files were stored on a server using HTTPS but requiring no credentials. http://188.92.248.19:443/medicall/ Part of the calls were saved as .mp3s with the customers phone number as file name. CEO when confronted wouldn't believe it and hung up when the reporter asked if he could play one of the tapes.
The articles states that the server was a NAS (nas.applion.se).
All files have been available since 2013.
When calling 1177, there's no need to identify yourself with your personal identity number. You can if you want to if your medical history is of significance to your call.
Source: Am swede and this article... https://computersweden.idg.se/2.2683/1.714787/inspelade-samt...
And I want you guys to hear it from me before you hear it on the streets... I once called 1177 wanting to order a new pair of knees because one of mine hurt. The nurse who answered had a good laugh.
"Tror ni inkompetensen är över? Nej. Man har inte dragit ut sladden. Kör wireshark och skicka skräppacket så ser ni att det enda som filtreras är syn-ack från servern.Slumpade seq-nr i respons bara någon timme och upprättade till slut en anslutning. Vad tror ni jag ser? Färska samtal från bara några sekunder sen i mappen /2019/."
Translates to: Do you think incompetence is over? No. They have not pulled out the cable. Run wireshark and send junk packets and you will see that the only thing that is filtered is syn-ack from the server. Sent random seq-no in response for an hour and finally made a connection. What do you think I see? Fresh calls from just a few seconds ago in the folder / 2019 /.
Their business idea was to handle calls that were placed in inconvenient hours, relative to Swedish business hours.
My best guess is that the Thai ISP this office used filtered all outgoing connections except port 80 and 443.
And then someone decided that the way to implement this securely while still allowing this office to access the data was to put a plain HTTP server on port 443. "Who is ever going to crack that?"
No authentication for clients either.
The cause of technical breaches falls onto a sliding scale in my mind. That scale goes from pure technical negligence to overbearing technical complexity.
This breach seems like pure negligence. In a surgery this wouldn't be "complications", it would be malpractice. Does GDPR protect those breached here? What recourse do these people have?
We really need to change the narrative around data. It should be a liability. Unlike other disruptions software drives, this will need to be driven by governments.
Breach against patientdatalagen and GDPR
Shall be encrypted so that the patients identity are protected.
"Uppgifter om en patients identitet som har dokumenterats inom hälso- och sjukvården och som landstingen ska sambearbeta med sådana uppgifter som avses i första stycket, ska vara krypterade så att patientens identitet skyddas vid behandlingen. Lag (2013:1024)." "Information about a patient's identity that has been documented in the health and medical care and which the county councils are to co-operate with the information referred to in the first paragraph, shall be encrypted so that the patient's identity is protected during the treatment. Swedish law (2013: 1024)"
Transfer of personal data outside EU Tredjelandsöverföring. "Transfers of personal data to third countries or international organisations" Thailand is not on the list of authorized countries. https://gdpr-info.eu/chapter-5/
The GDPR section about sensitive data records * medical records.
Den personuppgiftsansvarige ska genomföra lämpliga tekniska och organisatoriska åtgärder för att, i standardfallet, säkerställa att endast personuppgifter som är nödvändiga för varje specifikt ändamål med behandlingen behandlas. Den skyldigheten gäller mängden insamlade personuppgifter, behandlingens omfattning, tiden för deras lagring och deras tillgänglighet. Framför allt ska dessa åtgärder säkerställa att personuppgifter i standardfallet inte utan den enskildes medverkan görs tillgängliga för ett obegränsat antal fysiska personer.
Further persons working at tillsyndsmyndigheter may have done "Tjänstefel", that is fault committed by a public sector official servant that is not minor. 20 kap. Om tjänstefel m. m. "Section 1 Anyone who intentionally or negligently neglects the exercise of authority by action or omission shall be sentenced for misconduct for fines or imprisonment for a maximum of two years. If the act, having regard to the perpetrator's powers or the task's relation to the exercise of authority in other respects or to other circumstances, is to be regarded as poor, shall not be held liable."
Failure to run a network security scanner, failure to encrypt sensitive data records, failure to use passwords, failure to limit access to sensitive records
I feel absolutely betrayed by the state. I always knew that Sweden's obsession with medical data collection would back-fire but audio recordings? That's just too much.
I hope everyone involved gets sued into oblivion!
Imagine becoming a public person in the future with random russian mobs blackmailing me based on me and my family's medical history.
Is this an assumption, or were you able to find a list of leaked calls somewhere?
Slightly pissed of Swede who called 1177 just last week here. Still I'm glad this happened after GDPR, this means everyone who's personal details were compromise should have plenty of legal options right now.
https://www.dn.se/sthlm/medhelp-polisanmaler-tidningen-compu...
Were they recording all calls, not just a subset to be audited for customer service?
Why not have an auditor listen to the call live and destroy the recording if everything is done by the book and evidence need not be retained?
What happens when someone dies, or gets worse? One of the first things you'll want to know is what advice was offered. I would imagine they had to record all, and keep for some preset period.
On the upside, at least it's probably harder to sift through that data to find embarrassing and/or sensitive information than if it was textual.
(This is one reason that if I'm having a personal issue, I prefer to do a voice call with a friend rather than use IMs like many in my generation are so fond of)
Class action doesn't exist in all country though. Each person that want to sue the government might have to do it in his own name.
I am going to say the exact opposite: this will be one of the most widely publicised health care scandals since forever.
I have _REALLY_ serious info in there, and so do members of my family, that can not get out. But it's effing public, and the CEO of the company responsible is handling it like an asshole and Stockholms Landsting will just add it to the pile of fuckups.
It would literally take less than a minute for a red team with IP adresses to find this out, if they ever so much as cared to consider IT-security. Why doesn't the local government force subject the companies they hand contracts to to that?
Governments just don't follow their own rules. This means that medical files just aren't trustworthy anymore, in the sense that the patient has no control over who sees these and how far they are sent.
I could say "this is a problem in the Netherlands, Belgium, UK and US" where I know the situation is that essentially any doctor or medical staff anywhere can see everything in your file, related or not (e.g. in Belgium a pharmacist getting a woman's birth control prescription can see if they were ever treated in psychiatric care. Hell, the way the system looks, it'd literally be hard for the pharmacist not to notice). These files can even be used against you in a court of law, for example by child services.
Not that all these countries aren't very busy introducing new ways to have the state do whatever they want to do without judicial intervention (Belgium "GAS boetes" and "snelrecht", Netherlands "ZSM"), and just not care how much damage is caused to save a few bucks.
So what are you to do as a patient ? You cannot have this file destroyed, because these people have exceptions to every known privacy law. You can usually in theory have it corrected, but the system these governments put in place is fragmented into hundreds of pieces and nobody knows how it works, so good luck. Additionally actually getting them to cooperate even using an order from a judge is near impossible, and the systems may literally not support corrections in some cases.
At this point the only advice you can give is to please ask every doctor you ask to not make any notes or files on you at all, and just deal with that. "I travel a lot and this just causes trouble" is a useful phrase in that regard.
It isn't really something hidden. In fact I would say that the whole idea is well supported by a significant part of voters who do not want government to do things, nor have restrictions on companies. If we limit the scope to just politics, Stockholm County had probably the most prominent scandal in the last couple of decades with Nya Karolinska, yet essentially lost no voters in the last election.
It is easy to blame politicians, the government or even companies. But at the end of the day there aren't enough people requesting quality or responsibility.
[0] https://www.medhelp.se/outsourcad-1177-tjänst-är-effektivast [1] http://www.medicall.nu/hem-1.aspx [2] https://www.voiceintegrate.com/se https://www.applion.se/
It's a deep-seated tendency in mammals to hide sickness, and therefore the confidentiality in healthcare settings is essential to get people to seek care in time.
If you're underage you may especially want to hide those two from your parents depending on the social group. If you're a woman you may also want those two hidden from your family depending on the social group. Sweden has a large refuge population from very conservative cultures and things like acid attacks against women are decently common. So not keeping those thing hidden can get you killed or horribly injured if you're in certain social groups.
Wait, what? Where's your source on this.
Via google I can find references to one case from 1997 and one from 2002, and that's it. The idea that this would in any way be "decently common" here is preposterous.
You can be blackmailed because you have or had a "shameful" disease, a potential employer can deny you a job because you were too often sick for his own taste, insurance might deny you because you have a too risky profile, ...
Kind of a rough argument, but maybe it's just because they have never been beaten or harassed over something about their medical history. Which is good for them, but not the world most of us live in.
Even worse, people with dementia are prone to being scammed. We need to do everything possible to stop adversaries and scammers from having a list of people with neurodegenerative disease. Unfortunately, most people have little fear of their health data being hacked and hospitals have little incentive to protect it. Although I hear things are "getting better," the protection of you health data remains in a terrible state.
https://www.voiceintegrate.com/se/support/vi-som-jobbar-h%C3...
Not an option if you have an illness. Also, that excuse wouldn't work in Scandinavia. But journals are kept in-house and I trust that way more than the affected service. If the journaling system breaks so does our banking and national ID-services.
Also, this is a phone in service for what you are supposed to do, the step below going to the ER. Not mcuh you can do because you call them because you need their help. It's not an option not to. It unloads some calls and redirects the others to 911/the ER.
This stuff, along with many other things have been outsourced in Sweden to private contractors.
In the end, government is made up of people, and these guys outsourcing and selling off everything are just the ones that would blame the governement.
It’s facinating, and a self fulfilling prophecy!
“Look the government can’t do s*it, they should not be doing things at all. Let’s outsource some more.”
The next contractor hits the wall.
“Look, government can’t handle it. Let’s outsource”.
That is at least how I’ve seen play out here in Stockholm.
I’m hoping we can take the schools back at least... because outsourcing teaching has been a disaster imo.
The government is still the employer, the person doing the changes and responsible.
And yes, the solution is mostly NOT DOING THIS AT ALL. Or at least, doing significantly less.
Does this work? From what I hear, beyond the obvious benefits of enabling continued care, notes have an extra important purpose: it helps doctors to protect themselves against bullshit lawsuits.
An medical student in my family told me a story once, about a doctor who told a patient to get some tests. The patient ignored the advice, and found themselves dead couple of years later, from illness that would be detected early on those tests. The patient's husband came to doctor's office, seeking to sue her for negligence, and what saved her was that she had notes from those years ago, that clearly stated she did in fact order the patient to get the relevant tests done.
This was not journals though, but calls to nurses.
1. The same county awarded contracts for building a hospital were the cost ended up quadrupling to $6 billion more than initially expected. (They got reelected). https://www.thelocal.se/20180207/finance-minister-calls-for-...
2. There was a well publicized scandal a little more than a year ago were aggressive outsourcing ended up potentially exposing classified data. (Some politicians did have to quit, but only for handling situation poorly after the fact). https://www.thelocal.se/20170721/it-workers-in-other-countri...
3. "Sweden has had a quicker liberalisation than any other advanced economy in the world, in terms of privatisation and deregulation" https://www.thelocal.se/20120324/39864
4. Yet, "They were shocked to find that there is very little evaluation of the effects of the privatisation on Swedish society" https://www.thelocal.se/20110907/36006
5. And maybe the most glaring example of dysfunction, the housing market. https://www.telegraph.co.uk/personal-banking/mortgages/swede... https://www.thelocal.se/20170518/housing-crisis-forces-recor... https://www.thelocal.se/20170828/the-story-of-swedens-housin...
There just isn't much of an expectation of control, or that issues will be dealt with, these days in Sweden. It is unlikely that there would be any meaningful change in this situation either. Any effective change will be off the table and they will continue to outsource without much oversight because that is the agenda. Which is largely what has happened in other areas.
1.1. The hospital is built and operated according to guidelines and specifications set by a consulting firm that had no previous experience building hospitals.
It’s been a cluster fcuk with things missing or completely out of place.
1.2: Appointed Head of operation was a previous employee of the aforementioned consulting firm. More than 80% of the billing from said firm lacked specification but was of course approved by... drumroll ...head of operation!
There other interesting bits as well, but these stood out to me at the time.
It’s all frankly a brilliant piece of right wing “entrepreneurship”.
Sweden was never perfect, but some of its reputation as a functional country is not unfounded. Today we have many systems we know aren't working, yet little is being done. I have even heard Swedish political analysts being dumbfounded that some political issues were there are obvious flaws, and should be something that matters to people, don't show in the polls. I guess it might have to do with the political landscape, were there are a large number of people that very likely are dissatisfied. It just doesn't, because of the polarized situation, result in change. Instead it results in whatever is less objectionable, which is mostly whatever made the situation bad in the first place.
Anyway. I hope this incident get some more attention in Swedish media.
In any case the leak of health information is nothing to laugh at e.g. for those who live under threat of "honor violence".
[1] https://www.na.se/artikel/hallefors/man-i-hallefors-anhallen...
London Metropolitan Police showed a sharp rise in attacks, with 465 recorded in 2017
Particularly common in London, and amongst some immigrant communities. Other countries are not so far behind, and I gather it is quite common in some of the developing world, like India and Pakistan.
Seems like it may have been noticed being used for honour attacks in communities in London, Bradford, Leicester etc, and escalated from there. A particularly horrible form of attack.
These kinds of laws exists in most country, but if you cannot prove it, they are useless. So if a employer has a public access to your health record, what you prevent him from doing the above and tell you a random reason ?
There was a case in France were an Ikea director has access to private police record and was making hiring decision based on that. It's completely illegal but they did it for years before getting caught.
Makes a lot of sense as well, anything else would be weird. If this was not the case you could just get it when you have already been deemed sick, to get the faster private care instead of public health care.
Lots of information is available in Sweden that would make Americans squeemish to have public. The difference is that most people aren't interested in the sordid details of their neighbors.
[Analogies may be terrible, but lack of encryption is an additional factor making attacks even easier, particularly for the purpose of discovering the attack vectors.]