MedHelp AB – €1,200,000 Fine (Sweden, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Swedish privacy authority fined MedHelp AB EUR 1.2 million for not securing recorded health advice calls. These calls were left exposed online without proper security, risking personal data. This case highlights the importance of protecting sensitive information, especially in healthcare.
What happened
MedHelp AB failed to secure recorded calls to a health advice hotline, leaving them accessible online without protection.
Who was affected
People who called the 1177 health advice hotline in certain Swedish regions had their calls recorded and exposed online.
What the authority found
The Swedish DPA found that MedHelp did not implement adequate security measures to protect personal data, violating GDPR requirements.
Why this matters
This case underscores the critical need for companies, especially in healthcare, to secure personal data and ensure transparency about data processing. Businesses should review their data protection practices to avoid similar breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Swedish DPA has imposed a fine of EUR 1,200,000 on MedHelp AB. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures. All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sörmland and Värmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate. The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability. The Swedish DPA found that MedHelp had failed to take appropriate technical and organizational measures to ensure an adequate level of security to protect personal data so that unauthorized persons could not access it. Similarly, MedHelp had failed to properly inform callers about the processing of their personal data in accordance with Art. 13 GDPR. In addition, the DPA finds the outsourcing of the processing of personal data to Medicall to be a breach of the legality principle set out
Related Enforcement Actions (1)
Other enforcement actions involving MedHelp AB in SE
Details
Fine Date
7 June 2021
Authority
Integritetsskyddsmyndigheten
Fine Amount
€1,200,000
Enforcement Tracker ID
ETid-718
About this data
Cite as: Cookie Fines. MedHelp AB - Sweden (2021). Retrieved from cookiefines.eu
Last updated: