2.7 Million Health-Related Calls, Sensitive Info Exposed for Six Years

A server used to store real-time recordings of phone calls made to the 1177 Swedish Healthcare Guide service for health care information was found completely exposed to the Internet, with no user or password to protect it.

As IDG's Lars Dobos says, the millions of call recordings were left on an open web server that could be accessed with no password, with the conversations going back to 2013 and roughly 2.7 million calls amounting to 170,000 hours being left out in the open.

Based on the Apache HTTP Server it was running and the version installed (2.4.7, released during 2013), a quick Shodan search query shows that the server available at nas.applion.se might be impacted by roughly 23 vulnerabilities with CVEs assigned between 2013 and 2018.

Therefore, even if the unprotected server wouldn't have been left wide open, it would have most likely still get hacked at some point in time. 

During the sensitive call recordings, some of the people who called for advice shared social security numbers, and about 57,000 of the call recordings have filenames containing the telephone numbers of those who called the helpline.

While recording the calls is not something unusual, the fact that the calls have been saved on an exposed and unprotected server without any sort of authentication in place is definitely very serious, considering GDPR regulations and Swedish patient protection laws.

The server which was exposing 2.7 million recorded calls to the entire internet at the moment it was first visited by Dobos after receiving an anonymous tip, was used as a storage device by MediCall, a subcontractor with Swedish owners from Thailand, for the Biz 2.0 cloud-based call center system developed by Swedish company Voice Integrate Nordic AB (which is a sister company of Applion AB).

On the other hand, Medicall's services were called upon by MedHelp, a Swedish company which provides "remote care and services such as healthcare counseling."

MedHelp is the company which runs the 1177 Care Guide service under an agreement with Inera, a company owned by Swedish county councils, regions, and municipalities, which "coordinates the development and management of joint digital solutions that benefit the general public, and employees and decision-makers."

During a phone call with Dobos, the CEO of Voice Integrate Nordic, Tommy Ekström, stated that "This is catastrophic, it's sensitive data. We had no idea that it was like this. We will, of course, review our systems and check out what may have happened."

According to Dobos, the storage server where the health care advice call recordings were stored was still in use at the time he discovered it, with new call being added in real-time.

Following the data leak report, MediCall's storage server is either shut down or access is blocked seeing that it is no longer accessible over the Internet.

BleepingComputer has reached out to MediCall, MedHelp, and Inera for comment but had not heard back at the time of this publication. This article will be updated when a response is received.