Millions of “private” medical helpline calls exposed on internet

Thanks to Sophos security expert Petter Nordwall for his help with this article.

You know when you call a helpline and a cheery voice advises you that your call may be recorded for a variety of reasons, all of which are supposed to be for your benefit?

Have you ever wondered what happens to all those recordings?

Could something you said confidentially on the phone back in 2014 – personal and private information disclosed during a call to an official medical advice line, for example – suddenly show up in public in 2019?

As millions of people in Sweden are suddenly realising, the answer is a definite “Yes”.

One of the subcontractors involved in running the Swedish medical assistance line 1177 (a bit like 111 in the UK – the number you use for urgent but not emergency medical help) apparently left six years’ worth of call records – 2,700,000 sound files in WAV and MP3 format – on a server that was openly accessible on the internet.

All you’d have needed was a web browser to scroll through and download years of confidential calls.

Ironically, according to Computer Sweden, which published a short video showing a browsing session wandering through the the server’s contents, the offending files were available unencrypted over port 443 from a server in Sweden. (The server is now offline.)

To explain.

Web connections need an IP number and a port number to denote the specific service they want from a specific server.

Port numbers are a bit like phone extensions: the main phone number connects you to the front desk, and the extension denotes the specific person or department you want to get through to.

There are thousands of commonly used port numbers – by convention, for example, mail servers listen on port 25, unencrypted web connections (HTTP) on port 80 and encrypted web connections (HTTPS) on 443.

In fact, HTTP and HTTPS are so commonly aassociated with 80 and 443 than when you write a URL such as http://example.com/, it’s taken as shorthand for the more specific web link http://example.com:80/, where the port number is included explicitly in the URL.

Likewise, https://example.com/ is shorthand for https://example.com:443/.

This shorthand almost always works because almost every server that supports HTTPS does so by listening for incoming network connections on port 443.

In this case, however, Computer Sweden reported that by making a regular, unencrypted HTTP connection to the server mentioned above, but using port 443 instead of the usual port 80, the entire contents of a directory tree called /medicall could be viewed.

As far as we can see, the calls were conveniently split out into browsable subdirectories like this…

. . .
/medicall/2016/01/01
/medicall/2016/01/02
. . .
/medicall/2017/06/01
/medicall/2017/06/02
. . .
/medicall/2019/02/01
/medicall/2019/02/02
/medicall/2019/02/03
...

…and so on.

From the video, the most recent call that was exposed seems to have a datestamp of 2019-02-18­T08:59, which is just over 24 hours ago at the time of writing.

The earliest datestamp visible in the video goes back to 2014-02-25­T10:24, although that file is rather confusingly in a directory named /medicall/2013/04/09.

According to a follow-up report from Computer Sweden, the unsecured server also contained information about calls relating to medical transfers – essentially, non-emergency ambulance trips.

What next?

Swedish politicians are, understandably, unimpressed, and the Swedish Data Protection Agency is investigating.

This is a huge breach of public trust, and is probably the biggest test so far of the recent GDPR legislation (General Data Protection Regulation) in the European Union.

GDPR was put in place to force companies to think about security proactively in the hope of avoiding breaches, and is geared toward prevention rather than punishment.

Nevertheless, in most EU countries, GDPR permits significantly harsher punishments than any previous legislation, with fines that can go as high as €20,000,000 or 4% of company turnover, whichever is greater.

In this saga, it looks as though there are several levels of contract and subcontract – as far as we can tell:

• The Swedish public service contracted company X to handle calls to the 1177 number.
• X subcontracted M1 to handle three of the most populous regions in Sweden.
• M1 subcontracted M2 – a Swedish-owned company in Thailand – for overflow and after-hours cover.
• M2 used call centre software supplied by V, whose cloud storage was hosted back in Sweden.
• V’s servers hosted the open-to-anyone voice files.

Where the buck stops in this case, and who will bear the ultimate responsibility, remains to be seen.

What to do?

If you called 1177 in the past few years in Sweden, you may be at risk, but it may be impossible for the IT companies involved ever to find out how many records, if any, were stolen and abused by crooks.

So far, it looks as though only calls made in the Stockholm, Södermanland and Värmland regions were affected – in those regions, a Swedish-owned company in Thailand was subcontracted to handle overflow and after-hours calls, and it looks as though only calls answered in Thailand are part of the breach.

Sadly, therefore, there isn’t much you can do except to wait and see what emerges next from the investigations that are currently under way.

More generally, our advice is as follows:

• If you’re in Sweden, check the official 1177 website (1177.se) for news about your region. Not all regions of the country were affected, and not all calls in the affected regions were included in the breach.
• Consider sticking up for your right not to have your calls recorded. Unfortunately, you may end up waiting longer to be served, given that you often have to wait until a human comes on the line before you can formally opt out. (If sufficiently many of us demand not to be recorded every time we call any sort of helpline, we may eventually make the point that call recording should really be opt-in, not opt-out.)
• Consider how you archive recorded data, including audio and video. With no financial incentive to re-use existing recording tapes, as we used to do in the analog era, it’s easy to let old data pile up indefinitely, just in case. But do you really need years’ worth of private data available online, in real time, in bulk and unencrypted?
• Consider using penetration testing services to look for leaks. Don’t wait until a hacker or journalist comes knocking and finds your badly configured web server listening on a port you forgot about. If you do make a cybersecurity blunder, aim to be the first to find it so you can close it before any harm is done.