2.7 Million Patient Phone Call Recordings Left Exposed Online (thenextweb.com)

← Back to Stories (view on slashdot.org)

2.7 Million Patient Phone Call Recordings Left Exposed Online (thenextweb.com)

Posted by EditorDavid on Saturday February 23, 2019 @08:34PM from the calling-in-sick dept.

Slashdot reader krenaud tipped us off to this story from The Next Web: The audio recordings of 2.7 millions calls made to 1177 Vardguiden -- Sweden's healthcare hotline -- were left exposed to anyone online, according to Swedish tech publication Computer Sweden. The 170,000 hours of incredibly sensitive calls were stored on an open web server without any encryption or authentication, leaving personal information completely exposed for anyone with a web browser....

The calls included sensitive information about patients' diseases and ailments, medication, and medical history. Some examples had people describing their children's symptoms and giving their social security numbers. Some of the files include the phone numbers the calls were made from. Around 57,000 numbers appear in the database and many of those are the callers' personal numbers, making it easy to match information with a particular person.
When reached for comment, the CEO of the subcontractor receiving the calls "denied it happened."

45 comments

Min score:

Reason:

Sort:

"social security numbers" by Anonymous Coward · 2019-02-23 20:49 · Score: 0

How many times must this be repeated until you idiots understand? "SOCIAL SECURITY" NUMBERS ARE NOT SECRET! They are *PUBLIC INFORMATION*. They cannot ever be used as any kind of "password" or "security"; they are PURELY for keeping track of individual people in a sane manner. (Names have too many duplicates.) Jesus...
1. Re: "social security numbers" by Anonymous Coward · 2019-02-23 21:30 · Score: 0
  
  https://www.aclu.org/other/privacy-america-social-security-numbers
  https://www.congress.gov/bill/111th-congress/senate-bill/3789
  https://www.govtrack.us/congress/bills/111/s3789
  And that folks is why idiots like OP should never ever be believed.
2. Re: "social security numbers" by Anonymous Coward · 2019-02-23 22:43 · Score: 0
  
  Does US federal law apply to Sweden?
  OP might have missed that tidbit also. AFAIK Swedish person numbers are actually unique, but US SSNs are not. In fact, there's duplicates given out to different people with the same name. Oops.
  Me, I'm always tempted to say "I'm either a name, or a number. You pick. If a name, you don't get the number. If a number, you don't get the name. Which is it gonna be?" Reasonable, since it's the government that insists I have exactly one name, when in reality I have many.
3. Re: "social security numbers" by carlhaagen · 2019-02-24 00:05 · Score: 2, Informative
  
  Clearly you are the idiot. You're approaching Swedish "person numbers" as if they were and behaved like American social security numbers. They are not. They are unique/complementary numbers used to register and distinguish citizens, but they cannot be used anywhere as valid identification or authority of any form.
4. Re: "social security numbers" by Anonymous Coward · 2019-02-24 00:34 · Score: 0
  
  Exactly my friend, I live in Swedish too! :)
  And as I already posted, the background file for my national security clearance got stolen by the Chinese a few years ago That contained a lot more information than the credit reports that Uncle Sam requested from all three bureaus.
  Bonus: get some silver coins, view recommendations on my special Youtube channel dedicated to the topic! They constitute a fail-safe insurance strategy for your retirement!
  --
  Rocketman - Star Trek 2: The Wrath of Khan - William Shatner Trailer
5. Re:"social security numbers" by Anonymous Coward · 2019-02-24 02:43 · Score: 0
  
  In college in the mid-1980s, the student's social security number became their student ID number. Airplane pilot certificates (ie, "pilot's licence") used their social security number as their "pilot's licence number". It was NEVER a secret identification number. Something happened in the late 1990s or something where it became a secret identifier number.
Public file listings by Njovich · 2019-02-23 20:50 · Score: 1

Just like with the ongoing barrage of S3 'leaks', this is only an issue because it's too easy to accidentally enable public file listings in servers.
1. Re:Public file listings by Anonymous Coward · 2019-02-23 22:33 · Score: 1
  
  The calls should not have been recorded in the first place.
2. Re: Public file listings by Anonymous Coward · 2019-02-23 23:36 · Score: 0
  
  But how else do you blackmail someone years late about his premature ejaculation issue, right before you decry him for his supposed impotence issue?
3. Re:Public file listings by KermodeBear · 2019-02-24 01:33 · Score: 1
  
  I'm going to take a wild guess that the calls were recorded for one of (or perhaps all) of the following reasons:
  1. Government mandate. We are talking government-run healthcare, after all, and we know how governments love to keep treasure troves of data on its citizens.
  2. Liability, especially in a malpractice suit. You can show that the caller didn't "provide enough information to allow for proper advice to be administered, so, your honor, the heart attack isn't our fault."
  3. Quality assurance and training purposes.
  
  --
  Love sees no species.
"Everybody lies" by Anonymous Coward · 2019-02-23 20:56 · Score: 0

Although I don't think this is true, its is defiantly close to true for managers, CEO's and the like.
1. Re:"Everybody lies" by Anonymous Coward · 2019-02-24 00:02 · Score: 0
  
  "defiantly"?
2. Re:"Everybody lies" by war4peace · 2019-02-24 00:06 · Score: 1
  
  Its proximity defies the laws of "psychics".
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
That's what interesting means, Kendall. by Anonymous Coward · 2019-02-23 20:59 · Score: 1

"However, it seems the leaked calls were all made to 1177 Vårdguiden’s subcontractor Medicall — a Thailand-based company owned by Swedes. When asked about the breach, Medicall CEO Davide Nyblom denied it happened despite the overwhelming contradictory evidence."
-Start right there.
The contents are safe though by PKFC · 2019-02-23 20:59 · Score: 3, Funny

It's a good thing that the recordings are obfuscated in Swedish. We'll never be able to decrypt that
1. Re:The contents are safe though by Megol · 2019-02-24 00:45 · Score: 1
  
  Linus Torvalds
2. Re:The contents are safe though by Anonymous Coward · 2019-02-24 01:18 · Score: 0
  
  I know you're joking, but it always struck me as weird when people in the US assume Swedish is that exotic.
  Syntactically, it always felt much closer to English than e.g. German does to me. Most sentences translate roughly word-for-word, except with some North Germanic twists like 'the' usually being a suffix instead of a separate word, and no do-support or continuous tense.
Well, maybe they should be secret. by Anonymous Coward · 2019-02-23 21:08 · Score: 0

Despite the theory of being public information, it's dangerous for the numbered to have their person-numbers be widely known.
1. Re:Well, maybe they should be secret. by KiloByte · 2019-02-23 22:15 · Score: 2
  
  it's dangerous for the numbered to have their person-numbers be widely known
  I got an idea: can't we tattoo the number on left arm? That'd be secure against hacking unless someone sees you or a photo without a long sleeve.
  Other ideas would be the forehead (never tried AFAIK) or right hand (semi-popular as implanted RFID).
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
2. Re:Well, maybe they should be secret. by drinkypoo · 2019-02-23 23:56 · Score: 2
  
  If you're looking for one place to put everyone's mark of the beast, er I mean RFID tag or QR code, it clearly has to be somewhere on the head, neck, or upper torso, because all the other parts are optional.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:Well, maybe they should be secret. by Anonymous Coward · 2019-02-24 00:21 · Score: 0
  
  The background file for my national security clearance got stolen by the Chinese a few years ago That contained a lot more information than the credit reports that Uncle Sam requested from all three bureaus.
  Bonus: get some silver coins, view recommendations on my special Youtube channel dedicated to the topic! They constitute a fail-safe insurance strategy for your retirement!
  --
  Rocketman - Star Trek 2: The Wrath of Khan - William Shatner Trailer
4. Re:Well, maybe they should be secret. by Anonymous Coward · 2019-02-24 01:46 · Score: 0
  
  can't we tattoo the number on left arm?
  For the youngsters who don't get the reference...I've only seen that once and he was a Holocaust survivor.
  Nazis had to keep track of their prisoners and that's one way they did it. I can't describe the way I fest, but it was something similar to when I drove past Dachau in Germany. It wasn't exactly the same, because he was a victim and a survivor and a decent person. I guess it just made me think way too hard about WWII and the Holocaust.
  I didn't have the guts to stop at Dachau (and it wasn't on my itinerary anyway), but I just felt like there was evil all around that place that I could feel even on the autobahn.
  I'm sure it was all just in my head though.
5. Re: Well, maybe they should be secret. by Anonymous Coward · 2019-02-24 06:14 · Score: 0
  
  It wasn't. I've visited Dachau and it's creepy as hell.
Breach Fatigue by mentil · 2019-02-23 22:16 · Score: 2

Let's face it: it's all out there by now. Everything. Whatever can be harvested or datamined has been, and all of that has been subsequently leaked/stolen/sold.

--
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
1. Re:Breach Fatigue by Anonymous Coward · 2019-02-23 23:39 · Score: 0
  
  I have cookie warning fatigue. Thanks a lot, EU.
2. Re:Breach Fatigue by Anonymous Coward · 2019-02-24 00:31 · Score: 0
  
  I've directly ublocked every one stumbled upon, and... gone.
3. Re:Breach Fatigue by No+Longer+an+AC · 2019-02-24 02:01 · Score: 1
  
  But if everyone has our data shouldn't that devalue it?
  I'd like to think so, but we keep generating new data. It's getting harder and harder to convince businesses who demand an e-mail address that I really don't have one. Or I have to make one up. I wonder if I ever made up a valid e-mail address that belonged to someone else. Sorry about the spam if I did.
4. Re:Breach Fatigue by Anonymous Coward · 2019-02-24 03:04 · Score: 1
  
  Yip and the worst thing is, that you only have to put up that warning if you use cookies beyond a session-id for the website itself.
  Which means that either those website where dumb to show the cookie warning, or they are indeed using those cookies to track you beyond the website.
This is some next level incompetence stuff by fuzzyf · 2019-02-23 22:19 · Score: 4, Interesting

This one is well above average when it comes to pure stupidity

This writeup highlights some of the mind-boggling explanations from management:
https://medium.com/@rikardhjor...

My favourite:
"That someone probably, when updating at some point, seen that there was a free networking cable slot, and I guess they thought, some technician: ‘Aha, there should probably be a cable here, but it fell out [sic]’, and then they have connected a networking cable, so that it’s become connected to the Internet. That is just, like, how you do these things" - CEO of Voice Integrate Nordic AB
1. Re:This is some next level incompetence stuff by Anonymous Coward · 2019-02-23 22:36 · Score: 1
  
  If it were the case he and everyone associated with this just signed their own professional death warant. How in the hell do you put a server (assuming it was one and not a cluster), in a datacenter where people are permitted to do that? The datacenter would be entirely liable. That doesn't even get into why in the hell their switches are not locked down which would have also prevented his excuse.
  Who am I kidding. We've outsourced Health care in Canada too and is fucking disgusting how little Telus (the provider) cares. Doctors may have been through years of training to become a Doctor but they are complete morons when it comes to technology.
2. Re:This is some next level incompetence stuff by fuzzyf · 2019-02-23 22:50 · Score: 1
  
  It's wrong on so many levels.
  Almost makes it funny, if it wasn't so serious.
3. Re:This is some next level incompetence stuff by Anonymous Coward · 2019-02-24 02:08 · Score: 0
  
  Doctors may have been through years of training to become a Doctor but they are complete morons when it comes to technology.
  They should not have any permissions to fumble around with server configuration in the first place. This is not their job, nor should it ever be. There are highly paid professionals responsible for network and system maintenance, and they didn't do their god damn job.
  Anyhow, I am currently in a master's degree program related to the medical sector (in Europe), and it is frightening how clueless and careless some people in this industry are. Probably because they get money from the government anyway, so there is no reason not to slack off every time they can.
4. Re:This is some next level incompetence stuff by fuzzyf · 2019-02-24 03:02 · Score: 1
  
  Physical security of is just one aspect that is messed up here.
  
  Incompetent persons wandering around between servers doing damage is one thing. Storing all your sensitive data on an open browsable webserver which only protection is "not being plugged in", doesn't make things that much better.
Re:The contents are safe thoughtless by Anonymous Coward · 2019-02-23 23:11 · Score: 0

Da Schwedish language like da Danmark language in dat not oddly weird is. Da language like old English is. Older than but like is. Bend like ABBA is.
Secrecy/security is not the issue here by rundgong · 2019-02-23 23:20 · Score: 4, Informative

The Social Security numbers (or directly translated from Swedish, the Personal Number), are not considered secret in Sweden and that is not the issue here. In fact it contains the date of birth and is printed on your drivers license so you can show that when you need to verify your age.
The problem is that they were talking about sensitive medical information, and with the Personal Number you could much easier connect that information to the correct individual. That is the whole issue here.
1. Re:Secrecy/security is not the issue here by Anonymous Coward · 2019-02-24 00:42 · Score: 0
  
  why everybody insists on this bs.. social security number has never been secret.
  but list that contains for example students or employees are regulated by laws....
2. Re:Secrecy/security is not the issue here by Anonymous Coward · 2019-02-24 00:57 · Score: 0
  
  I agree buddy! But here in the US, some business still ask for them but been warn not to.
  The background file for my national security clearance got stolen by the Chinese a few years ago That contained a lot more information than the credit reports that Uncle Sam requested from all three bureaus.
  Bonus: get some silver coins, view recommendations on my special Youtube channel dedicated to the topic! They constitute a fail-safe insurance strategy for your retirement!
  --
  Rocketman - Star Trek 2: The Wrath of Khan - William Shatner Trailer
3. Re:Secrecy/security is not the issue here by Kjella · 2019-02-24 02:56 · Score: 1
  
  The problem is that they were talking about sensitive medical information, and with the Personal Number you could much easier connect that information to the correct individual. That is the whole issue here.
  That's a bit of an understatement, that number is the best identifier possible. I'm from Norway but it's pretty similar here, we all have a number which everything is tied into... bank accounts, all employers that pay taxes, insurance, social security, everything in healthcare, car registry, property registry, criminal history, military service record, everything that runs a credit check, e-billing, public education, all sorts of public forms in short the number itself is stored so many places it wouldn't be much a secret. Which means leaks that include that number are basically cumulative, it's your number and it's yours forever mine has been the same for 40 years so a leak of my name and number from decades ago is still valid. We still pretend it's a secret here but it's really a charade.
  
  --
  Live today, because you never know what tomorrow brings
4. Re:Secrecy/security is not the issue here by K.+S.+Kyosuke · 2019-02-24 04:22 · Score: 0
  
  The Social Security numbers (or directly translated from Swedish, the Personal Number), are not considered secret in Sweden
  Presumably because Sweden doesn't have Social Security?
  
  --
  Ezekiel 23:20
Re:The contents are safe thoughtless by Anonymous Coward · 2019-02-23 23:35 · Score: 0

Bork-a bork-a bork!
Vårdguiden by Anonymous Coward · 2019-02-24 00:00 · Score: 1

Come on, it can't be that hard to get accents right.
By strange coinidence by Anonymous Coward · 2019-02-24 00:32 · Score: 1

The new Cortana nurses aide smart assistant, trained on an unknown medical corpus, speaks with a Swedish accent
Re:The contents are safe thoughtless by Anonymous Coward · 2019-02-24 01:29 · Score: 0

That reads more like fake German. The second verb does not move to the end in Swedish (and the first verb doesn't move to the end in German either).
They're taking action by Anonymous Coward · 2019-02-24 09:58 · Score: 1

Don't worry. The responsible party, Medhelp, are springing into action. They have filed a police report against Computer Sweden for the intrusion.
Plugged the internet cable into the hard drive? by Anonymous Coward · 2019-02-24 20:00 · Score: 0

Well normally, that's just BS but...
There is the one outlier of an actual ATAoE endpoint. Another would be a publicly exposed iSCSI target.