DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Sweden’s Privacy Protection Agency fines insurer Trygg-Hansa for exposing sensitive customer data

Posted on September 17, 2023 by Dissent

The following press release was issued August 30 by Sweden’s Authority for Privacy Protection (IMY):

Trygg-Hansa’s security flaws have meant that information on 650,000 customers has been accessible via the internet. The Privacy Protection Agency (IMY) is now issuing an administrative sanction fee of SEK 35 million against the company.

After receiving a tip, IMY began an inspection of the insurance company Trygg-Hansa. The tipster had received an email from the company with a link to a quote page. On the quote page, there were clickable links with URLs that led to documents with insurance information. However, the tipster noticed that it was possible to access other policyholders’ documents, without any kind of login, by simply replacing a few numbers in the web link.

– The documents that have been accessible to unauthorized persons have in some cases contained sensitive personal data, including information about health that also had a high level of detail, so that it was possible to find out, for example, how a health problem arose or details about a health condition. All in all, the large amount of personal data has made it possible to create a clear picture of a person’s private circumstances, says Evelin Palmér, lawyer at IMY.

Possible to access data for more than two years

IMY’s review has shown that it was possible to access customer data for 650,000 customers during the period October 2018 to February 2021. Among the customer data, in addition to data on health, there are also other data such as financial information, contact details, social security numbers and insurance holdings.

In its decision, IMY states that the deficiencies have been of such a fundamental nature that Trygg-Hansa should have had the opportunity to discover and remedy these even before the relevant IT system was introduced and in any case during the long period that the system was used.

IMY assesses that Trygg-Hansa has not taken appropriate technical measures to ensure a level of security that is appropriate in relation to the risk. The authority therefore issues an administrative sanction fee of SEK 35 million against the company.

Clarification

The security deficiency that IMY has found in the current case was at the insurance company Moderna Försäkringar. IMY clarifies that Moderna Försäkringar has subsequently, in April 2022, merged with Trygg-Hansa and in connection with that changed its name to Trygg-Hansa.

Access the decision against Trygg-Hansa (pdf, 163 kB)

Source: Swedish Authority for Privacy

Note: SEK 35 million is equivalent to USD $3,125,290.18 at today’s conversion rate.

No related posts.

Category: Business SectorExposureNon-U.S.

Post navigation

← Personal Data Protection Commissioner of Singapore announces two decisions
“I’m Not Pro-Russia and I’m Not a Terrorist!” —- InfraGard and Airbus Hacker “USDoD” Unveils His New Campaigns →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.