vishing medical phone calls record cybersecurity hipaa medical security awareness training phish

Patient-Doctor Confidentiality Exposed

Confidential data being stored online should be securely locked away from the public, especially cyber-criminals, but what happens if there isn’t even a password protecting millions of information?

Jessica Davis from Health IT Security discloses how lack of security impacted millions in her article, 2.7M Medical Calls, Sensitive Audio Exposed Online for 6 Years:

The 1177 Swedish Healthcare Guide Service stored the MP3 or WAV audio files of every call received since 2013 on an unencrypted server that did not require user authentication.

vishing phone calls record cybersecurity hipaa medical security awareness training phish

February 20, 2019 – A 1177 Swedish Healthcare Guide Service server used to store the phone calls made to the service for healthcare information was left unencrypted and exposed online with no user authentication requirement, according to IDG Computer Sweden.

As a result, 170,000 hours of 2.7 million medical calls and audio of these sensitive calls going back to 2013 were left open to the public and could be downloaded or listened to by anyone, without using a password. The calls were answered by Medicall and stored as MP3 or WAV audio files.

The conversations included conversations about diseases and other medical questions, with callers discussing their symptoms, medications, or previous medical treatments. For about 57,000 individuals, phone numbers were also included in the compromised files.

vishing phone calls record cybersecurity hipaa medical security awareness training phish exposed sensitive confidential

Other files contained questions about their children or other relatives, which may include stating their child’s Social Security number, their symptoms, and potential treatment options.

What’s worse is that when the flaw was discovered the server was still in use by 1177, which means that those recordings were still being added in real-time.

Medicall contracted with a Swedish company that provides remote care and healthcare counseling services, MedHelp, which has an agreement with three of the regions involved in the leak, under contract with Inera, another Swedish company.

Tommy Ekström, CEO of Voice Integrate Nordic, told IDG, “This is catastrophic, it’s sensitive data. We had no idea that it was like this. We will, of course, review our systems and check out what may have happened… It is sad, so this should not be.”

vishing phone calls record cybersecurity hipaa medical security awareness training phish

Following the report of the data leak, the server was either shut down or access was shut off, as it’s no longer open to the public.

“1177 The healthcare guide on telephone responds to health and care issues from the public. Each region is responsible for the operation of the service 1177,” Inera posted in a comment to IDG. “The healthcare guide on the telephone and Inera is responsible for coordination, medical decision-making, and the brand. For 18 of the 21 regions, Inera also supplies telephony and medical records.”

“Inera takes this very seriously and works with the three affected regions and subcontractors to analyze the problem and ensure that it is rectified,” they added.

vishing phone calls record cybersecurity hipaa medical security awareness training phish compromised

Given 1177 falls under the EU’s General Data Protection Regulation, the penalties could be severe. The breach should serve as a reminder to US healthcare organizations to ensure strong vendor management and understand where data resides with routine inventory.

Davis, J. (2019, February 20). 2.7M Medical Calls, Sensitive Audio Exposed Online for 6 Years. Health IT Security.

  • 3
  •  
  •  
  •  
  •  
  •  
    3
    Shares