An unprotected server exposed almost 2.7 million call recordings for six years
- Of the 2.7 million exposed call recordings, almost 57,000 call recordings have filenames containing the telephone numbers of those who called the helpline.
- Researchers noted that the unprotected server available at nas.applion.se might have been impacted by almost 23 vulnerabilities with CVEs assigned between 2013 and 2018.
A storage server containing real-time call recordings made to the 1177 Swedish Healthcare Guide helpline for health care information was found publicly available without any password protection.
The unprotected server which was left open without a password, exposed almost 2.7 million health-related call recordings that dated back to 2013.
23 vulnerabilities in the server
Lars Dobos in a blog noted that a Shodan search query revealed that the unprotected Apache HTTP Server 2.4.7 available at nas[.]applion.se might have been impacted by almost 23 vulnerabilities with CVEs assigned between 2013 and 2018. Therefore, even if the server wouldn't have been left publicly available, it would have been breached at some point in time.
What information was exposed?
Computer Sweden, who detected the open web server, listened to some of the call recordings to learn the extent of the leak and the damage to the public.
- The call recordings included sensitive information about diseases and other ailments of callers.
- Callers’ symptoms and the medications taken for previous treatments.
- Children’s symptoms and social security numbers.
Dobis noted that of the 2.7 million exposed call recordings, almost 57,000 call recordings have filenames containing the telephone numbers of those who called the 1177 Swedish Healthcare helpline.
“The fact that the calls are recorded is in itself permitted, it may be necessary for the patient's safety, or to be able to prove abuse, but the saved audio files should be treated with confidentiality according to the patient data law. It is also clearly the question of information that is considered as sensitive personal data according to GDPR,” the report read.
Unprotected storage server used by Medicall
The unprotected server which exposed 2.7 million call recordings was used by Medicall which is based in Hua Hin, Thailand. The call recordings that have been exposed includes calls made to Medicall which is a subcontractor to Medhelp, who receives patient calls via the 1177 Care Guide Helpline.
“We have checked this out with our IT, and what you say is completely impossible,” said Davide Nyblom, CEO at Medicall.
“This is catastrophic, it's sensitive data. We had no idea that it was like this. We will, of course, review our systems and check out what may have happened,” said Tommy Ekström, CEO of Voice Integrate Nordic.