Voice Integrate Nordic AB – €64,500 Fine (Sweden, 2021)

The Swedish DPA has imposed a fine of EUR 64,500 on Voice Integrate Nordic AB. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures. All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sörmland and Värmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate. The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability. The Swedish DPA found that Voice Integrate had failed to take appropriate technical and organizational measures to ensure an adequate level of security to protect personal data so that unauthorized persons could not access it.