Medhelp will pay 12 million after the 1177 leak
Medhelp will pay 12 million after the 1177 leak
SEK 12 million in penalty fees against the company Medhelp, half a million against the Stockholm Region and SEK 250,000 against each against Sörmland and Värmland. This is the outcome of the review made by the Privacy Protection Authority in the case of the millions of 1177 calls that were left unprotected on the internet.
Jesper Cederberg
[email protected]
PUBLISHED:
Lakartidningen.se 2021-06-08
speach-bubble0 COMMENTSCOMMENT
Share on FacebookTweet about this on TwitterShare on LinkedInEmail this to someonePrint this page
In February 2019, the magazine Computer Sweden revealed that 2.7 million calls to 1177 Vårdguiden were unprotected on the internet . The affected regions were Stockholm, Sörmland and Värmland, which all hired the private company Medhelp to receive 1177 calls.
Since then, the Privacy Protection Authority (IMY), formerly known as the Data Inspectorate, has examined the actors in the case. These are three regions and three companies. Now the authority has made a decision.
- It has been a complicated investigation to clarify the connection between the regions and health care advice via 1177 and the relationship of responsibility between the various actors, says Magnus Bergström who is an IT security specialist at IMY and who participated in the review, in a press release.
Calls to 1177 The care guide first goes to Inera, which is owned by the regions and most municipalities in the country, and which provides the common systems. Stockholm, Värmland and Sörmland have, however, by agreement had calls from their residents to the company Medhelp. That company had in turn hired the Thai company Medicall to handle calls on nights and weekends.
The third company that IMY reviewed is Voice Integrate Nordic. They had agreements with both Medhelp and Medicall, which were about switching functionality and recording conversations.
What happened when the 2.7 million calls were unprotected on the internet was that a storage device was misconfigured. This made the device available to anyone on the internet. In addition, the calls were not encrypted and did not require a password to access. What was needed was the device's IP address.
IMY has concluded that two parties are responsible: Medhelp and Voice Integrate. Medhelp has been the responsible care provider and thus been responsible for ensuring that there is sufficient security to protect personal data.
The company has also failed to inform those who called 1177, for example, about how the data is handled in accordance with the Data Protection Ordinance and the Patient Data Act, and that Medhelp is responsible for personal data.
- Medhelp has also outsourced care assignments and personal data processing to the Thai company Medicall, which is not covered by Swedish health and medical care legislation and which is also not covered by the statutory duty of confidentiality in healthcare. This is contrary to the Data Protection Ordinance's principle of legality, says Magnus Bergström.
In total, this justifies a sanction fee of SEK 12 million.
Medhelp writes in a comment on its website that the decision to hire Medicall, where the assignment was performed by Swedish-licensed nurses, was taken in agreement with Region Stockholm, which approved the Thai company as a subcontractor. Following the introduction of the Data Protection Regulation GDPR, a legal evaluation was also carried out and approved by the region.
The company also reports a number of measures that have been taken since the shortcomings became known. Among these is that all healthcare counseling outside Sweden has ceased, increased safety requirements and updated routines for information to patients.
Voice Integrate was also required to take steps to protect the stored calls. This as a personal data assistant, since the company worked on behalf of Medhelp. Since the company has breached that responsibility, they must pay a penalty fee of SEK 650,000.
IMY also criticizes the three regions for lack of information to those who called 1177. The authority issues a sanction fee of SEK 500,000 against the Stockholm Region, and SEK 250,000 against Värmland and Sörmland respectively.
IMY also notes that there has been a lack of clarity in the relationship of responsibility. This is because several players have made reports after Computer Sweden became aware of the shortcomings. In fact, only Medhelp as the person responsible for personal data must make a report.
However, Inera manages without criticism and sanction fees. The company has no responsibility for the personal data processing that Medhelp performs at the health care counseling, or for the storage of the conversations that Medhelp has taken care of, states IMY.
Companies and regions can appeal the IMY's decision.
SEK 12 million in penalty fees against the company Medhelp, half a million against the Stockholm Region and SEK 250,000 against each against Sörmland and Värmland. This is the outcome of the review made by the Privacy Protection Authority in the case of the millions of 1177 calls that were left unprotected on the internet.
Jesper Cederberg
[email protected]
PUBLISHED:
Lakartidningen.se 2021-06-08
speach-bubble0 COMMENTSCOMMENT
Share on FacebookTweet about this on TwitterShare on LinkedInEmail this to someonePrint this page
In February 2019, the magazine Computer Sweden revealed that 2.7 million calls to 1177 Vårdguiden were unprotected on the internet . The affected regions were Stockholm, Sörmland and Värmland, which all hired the private company Medhelp to receive 1177 calls.
Since then, the Privacy Protection Authority (IMY), formerly known as the Data Inspectorate, has examined the actors in the case. These are three regions and three companies. Now the authority has made a decision.
- It has been a complicated investigation to clarify the connection between the regions and health care advice via 1177 and the relationship of responsibility between the various actors, says Magnus Bergström who is an IT security specialist at IMY and who participated in the review, in a press release.
Calls to 1177 The care guide first goes to Inera, which is owned by the regions and most municipalities in the country, and which provides the common systems. Stockholm, Värmland and Sörmland have, however, by agreement had calls from their residents to the company Medhelp. That company had in turn hired the Thai company Medicall to handle calls on nights and weekends.
The third company that IMY reviewed is Voice Integrate Nordic. They had agreements with both Medhelp and Medicall, which were about switching functionality and recording conversations.
What happened when the 2.7 million calls were unprotected on the internet was that a storage device was misconfigured. This made the device available to anyone on the internet. In addition, the calls were not encrypted and did not require a password to access. What was needed was the device's IP address.
IMY has concluded that two parties are responsible: Medhelp and Voice Integrate. Medhelp has been the responsible care provider and thus been responsible for ensuring that there is sufficient security to protect personal data.
The company has also failed to inform those who called 1177, for example, about how the data is handled in accordance with the Data Protection Ordinance and the Patient Data Act, and that Medhelp is responsible for personal data.
- Medhelp has also outsourced care assignments and personal data processing to the Thai company Medicall, which is not covered by Swedish health and medical care legislation and which is also not covered by the statutory duty of confidentiality in healthcare. This is contrary to the Data Protection Ordinance's principle of legality, says Magnus Bergström.
In total, this justifies a sanction fee of SEK 12 million.
Medhelp writes in a comment on its website that the decision to hire Medicall, where the assignment was performed by Swedish-licensed nurses, was taken in agreement with Region Stockholm, which approved the Thai company as a subcontractor. Following the introduction of the Data Protection Regulation GDPR, a legal evaluation was also carried out and approved by the region.
The company also reports a number of measures that have been taken since the shortcomings became known. Among these is that all healthcare counseling outside Sweden has ceased, increased safety requirements and updated routines for information to patients.
Voice Integrate was also required to take steps to protect the stored calls. This as a personal data assistant, since the company worked on behalf of Medhelp. Since the company has breached that responsibility, they must pay a penalty fee of SEK 650,000.
IMY also criticizes the three regions for lack of information to those who called 1177. The authority issues a sanction fee of SEK 500,000 against the Stockholm Region, and SEK 250,000 against Värmland and Sörmland respectively.
IMY also notes that there has been a lack of clarity in the relationship of responsibility. This is because several players have made reports after Computer Sweden became aware of the shortcomings. In fact, only Medhelp as the person responsible for personal data must make a report.
However, Inera manages without criticism and sanction fees. The company has no responsibility for the personal data processing that Medhelp performs at the health care counseling, or for the storage of the conversations that Medhelp has taken care of, states IMY.
Companies and regions can appeal the IMY's decision.