Sweden SA (IMY) issues administrative fine against insurance company for security deficiencies

28 August 2023

Background information

  • Date of decision: 28 August 2023
  • Cross-border case or national case: National case
  • Controller: Trygg-Hansa
  • Legal references: Article 5 (Principles relating to processing of personal data), Article 32 (Security of processing)
  • Decision: Administrative fine
  • Key words: Data security, Insurance

 

Summary of the Decision

 

Origin of the case

The Swedish SA (IMY) started an investigation of the insurance company Trygg-Hansa (then Moderna Försäkringar) following to a complaint. The person who contacted IMY received an email from the company with a link to a web page with price quotes. On this web page, clickable links with URLs t led to documents including insurance information. However, the person noticed that it was possible to access other policyholders' documents, without any kind of login, by simply replacing a few numbers in the web link.

 

Key Findings

IMY's investigation has shown that it was possible to access customer data for 650,000 customers during the period October 2018 to February 2021. The documents that have been accessible to unauthorized persons contained in some cases sensitive personal data, including detailed health data (allowing to find out, for example, how a health problem arose) and details about a health condition. , The data available also included information such as financial information, contact details, social security numbers and insurance holdings.

All in all, the large amount of personal data available has made it possible to create a clear picture of a person's private circumstances.

 

Decision

In its decision, IMY states that the deficiencies have been of such a fundamental nature that the insurance company should have had the opportunity to discover and remedy these even before the relevant IT system was introduced and in any case during the long period that the system was used.

IMY concludes that the company has not taken appropriate technical measures to ensure a level of security that is appropriate in relation to the risk. The authority therefore issues an administrative fine of SEK 35 million (approximately 2.8 million EUR) against the company.

 

For further information:

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.