No referral. No waiting room. And perhaps most importantly; option to remain anonymous. The advice service Lommelegen made it possible to ask questions to doctors and other professionals. Until the counseling service closes in 2021, they answered over 50,000 questions, which were about everything from anxiety to insect bites. You could also upload pictures of what failed you. Users were promised that the images would be deleted within 90 days and that they would never be published online. But then a problem arose. Was not deleted Dagbladet AS and the owner company Aller Media have been responsible for ensuring that the personal data at Lommelegen was safe. In April this year, they went through their computer systems. Then they discovered that images that had been submitted to Lommelegen from 2017 until November 2021 were still available in a storage device. They were therefore not deleted, as the users had been promised. – This storage unit had a setting which meant that it was, in theory, not protected against unauthorized access, says Camilla Fuglem. She is executive vice president for technology and data at Aller. Group director for technology and data in Aller, Camilla Fuglem – This is a routine failure on our part, which is regrettable, but which is very unlikely to have caused any damage, she says. Name and social security number Between 200 and 500 of the images contained information that enabled specific people to be identified. That’s what Aller Media writes in a notice of non-conformity to the Norwegian Data Protection Authority. For example, some of the users had sent in X-ray images with names or social security numbers. The pocket doctor advertised that you could submit X-rays so that their experts could assess them. Screenshot from Lommelegen November 2017. Photo: Way back machine / Lommelegen.no In most of the more than 10,000 photos that were submitted to Lommelegen, it was difficult to identify anyone by looking at the image, according to the notification of non-conformity. Some were close-ups of, for example, wounds or rashes. But there was more information in the pictures than what could be seen with the naked eye. 1,200 of the digital images contained precise information about where the image was taken. “Mental strain” In the statement to the Norwegian Data Protection Authority, Aller tells about what the error can mean for those who have submitted images. Camilla Fuglem in Aller says that the company has not notified the people who can be identified in the photos. – No. There is no reason to believe that personal data has gone astray. The discrepancy has been reported to the Norwegian Data Protection Authority for the record. But she cannot guarantee that no one has found the pictures online. – In a digital world, it is hardly possible to give guarantees that no one has access. But it appears highly unlikely that outsiders should have had access to the material. We also have no evidence that it has happened, she says. It was not possible to find the images by searching Google or other search engines, according to Aller. But you could access the images if you had the correct internet address to the database where the images were stored. – This has not been shared with anyone in any way, emphasizes Fuglem. Unacceptable and clearly illegal – They have secured very sensitive personal data in such a bad way that it is clearly illegal, says Dag Wiese Schartum. He is a professor at UiO, and one of Norway’s foremost experts on privacy. Law professor Dag Wiese Schartum believes that Lommelegen has had illegally poor security. Photo: Olav Døvik / news The professor believes it is serious that the images were potentially available, even if it has been difficult to find them. He believes the consequences would have been great if someone found the photos. – It is an unacceptable risk, he says. The fact that the pictures were unsecured is still not the most objectionable thing in the case, Schartum believes. He says that the most serious thing is that the images were stored for such a long time. – The purpose here is to provide answers, to provide healthcare and information about people’s specific questions. Once those answers have been given, the information must be deleted. And they clearly haven’t done that, he says. Reported itself – Our routine was to delete the images after 90 days. This was an automatic routine that has unfortunately failed. It is of course regrettable, says Camilla Fuglem in Aller. Aller has tested its security several times in recent years. But the error was not discovered until this year. – It illustrates how improbable and theoretical it is that someone unauthorized has discovered the access, she says. Fuglem does not immediately agree with the professor’s assessment of illegal poor security. – Of course, we cannot give out details about our security system, and the professor does not know about it either. But there has been a discrepancy, and we reported it to the Norwegian Data Protection Authority ourselves, she says. The pocket doctor ended its advisory service in 2021. It is now a website with articles written by experts and journalists, they state in the notice of deviation. The Norwegian Data Protection Authority is now assessing whether Aller has broken the law and whether they should be fined. The inspectorate will not comment on the matter until they have finished with it. The conclusion should be ready at the beginning of January, they inform news.
ttn-69
Over 10,000 private photos that came in to Lommelegen were stored for years – Aller answers – news Trøndelag
