Site icon Sophos News

Millions of “private” medical helpline calls exposed on internet

Thanks to Sophos security expert Petter Nordwall for his help with this article.

You know when you call a helpline and a cheery voice advises you that your call may be recorded for a variety of reasons, all of which are supposed to be for your benefit?

Have you ever wondered what happens to all those recordings?

Could something you said confidentially on the phone back in 2014 – personal and private information disclosed during a call to an official medical advice line, for example – suddenly show up in public in 2019?

As millions of people in Sweden are suddenly realising, the answer is a definite “Yes”.

One of the subcontractors involved in running the Swedish medical assistance line 1177 (a bit like 111 in the UK – the number you use for urgent but not emergency medical help) apparently left six years’ worth of call records – 2,700,000 sound files in WAV and MP3 format – on a server that was openly accessible on the internet.

All you’d have needed was a web browser to scroll through and download years of confidential calls.

Ironically, according to Computer Sweden, which published a short video showing a browsing session wandering through the the server’s contents, the offending files were available unencrypted over port 443 from a server in Sweden. (The server is now offline.)

To explain.

Web connections need an IP number and a port number to denote the specific service they want from a specific server.

Port numbers are a bit like phone extensions: the main phone number connects you to the front desk, and the extension denotes the specific person or department you want to get through to.

There are thousands of commonly used port numbers – by convention, for example, mail servers listen on port 25, unencrypted web connections (HTTP) on port 80 and encrypted web connections (HTTPS) on 443.

In fact, HTTP and HTTPS are so commonly aassociated with 80 and 443 than when you write a URL such as http://example.com/, it’s taken as shorthand for the more specific web link http://example.com:80/, where the port number is included explicitly in the URL.

Likewise, https://example.com/ is shorthand for https://example.com:443/.

This shorthand almost always works because almost every server that supports HTTPS does so by listening for incoming network connections on port 443.

In this case, however, Computer Sweden reported that by making a regular, unencrypted HTTP connection to the server mentioned above, but using port 443 instead of the usual port 80, the entire contents of a directory tree called /medicall could be viewed.

As far as we can see, the calls were conveniently split out into browsable subdirectories like this…

. . .
/medicall/2016/01/01
/medicall/2016/01/02
. . .
/medicall/2017/06/01
/medicall/2017/06/02
. . .
/medicall/2019/02/01
/medicall/2019/02/02
/medicall/2019/02/03
...

…and so on.

From the video, the most recent call that was exposed seems to have a datestamp of 2019-02-18­T08:59, which is just over 24 hours ago at the time of writing.

The earliest datestamp visible in the video goes back to 2014-02-25­T10:24, although that file is rather confusingly in a directory named /medicall/2013/04/09.

According to a follow-up report from Computer Sweden, the unsecured server also contained information about calls relating to medical transfers – essentially, non-emergency ambulance trips.

What next?

Swedish politicians are, understandably, unimpressed, and the Swedish Data Protection Agency is investigating.

This is a huge breach of public trust, and is probably the biggest test so far of the recent GDPR legislation (General Data Protection Regulation) in the European Union.

GDPR was put in place to force companies to think about security proactively in the hope of avoiding breaches, and is geared toward prevention rather than punishment.

Nevertheless, in most EU countries, GDPR permits significantly harsher punishments than any previous legislation, with fines that can go as high as €20,000,000 or 4% of company turnover, whichever is greater.

In this saga, it looks as though there are several levels of contract and subcontract – as far as we can tell:

Where the buck stops in this case, and who will bear the ultimate responsibility, remains to be seen.

What to do?

If you called 1177 in the past few years in Sweden, you may be at risk, but it may be impossible for the IT companies involved ever to find out how many records, if any, were stolen and abused by crooks.

So far, it looks as though only calls made in the Stockholm, Södermanland and Värmland regions were affected – in those regions, a Swedish-owned company in Thailand was subcontracted to handle overflow and after-hours calls, and it looks as though only calls answered in Thailand are part of the breach.

Sadly, therefore, there isn’t much you can do except to wait and see what emerges next from the investigations that are currently under way.

More generally, our advice is as follows:


Exit mobile version