In June last year, the Privacy Protection Authority (formerly the Data Inspectorate) decided that the parties in the so-called 1177 leak would pay penalty fees. Medhelp would pay the most: SEK 12 million. Region Sörmland, Region Värmland, Region Stockholm, and the company Voice Integrate Nordic, would pay penalty fees of a few hundred thousand kronor each. Inertia, which is owned by regions and municipalities in the country, however, would not have to pay any fee.
It was in February 2019 that the magazine Computer Sweden revealed that 2.7 million calls to 1177 Vårdguiden were unprotected on the internet. The affected regions were Stockholm, Sörmland, and Värmland, which all hired the private company Medhelp to receive 1177 calls. Medhelp, in turn, had hired the Thai company Medical to handle calls on nights and weekends. And both Medhelp and Medical had agreements with Voice Integrate Nordic on switching functionality and recording calls.
Following the Integrity Protection Authority’s decision on sanction fees, four parties decided to appeal the decision: Medhelp, Voice Integrate Nordic, the Stockholm Region, and the Värmland Region.
And now the administrative court has made its decision. Medhelp will pay SEK 8.8 million, which is a reduction from the 12 requested by the Privacy Protection Authority, reports Dagens Nyheter.
– The Administrative Court considers that the health care counseling company MedHelp should have ensured a better level of security for the data. This is a large number of sensitive information that has been unprotected for a long time, says Anna Önell, Chief Counsel, in a press release from the court.
The Privacy Protection Authority has previously assessed that Medhelp violated the requirement that personal data in healthcare may only be processed by healthcare providers in Sweden when the company hired Thai Medical. But that assessment is not made by the administrative court.
– The technical development entails more and more opportunities to conduct care in different ways. The decisive factor must therefore be what the business looks like, says Anna Önell.
Medhelps and Medicall’s approach, however, meant that personal data was transferred to a country outside the EU. The Privacy Protection Authority is now given the task of investigating whether it went right.
Voice Integrate’s sanction fee will also be reduced, from SEK 650,000 to SEK 500,000. The Värmland Region and the Stockholm Region will pay what the authority has previously decided, SEK 250,000 and SEK 500,000 respectively.
GIPHY App Key not set. Please check settings