Swedish data protection regulator investigates breach of 1.5 million records

Sweden’s data protection authority, the Integritetsskyddsmyndigheten (IMY), has opened an investigation after a major data breach exposed personal information of approximately 1.5 million individuals.

 

 

The incident dates back to August, when the IT supplier Miljödata was hit by a large-scale ransomware attack. The supplier serves municipal and regional clients across Sweden, including areas such as Gotland, Halland, Kalmar, Varberg, Umeå, Luleå, Kiruna, Mönsterås, Karlstad, and Skellefteå. The breach reportedly affected more than 200 municipalities and regions.

Hackers succeeded in accessing and publishing large volumes of personal data on the dark web. The compromised data includes names, medical certificates, rehabilitation plans, occupational injury records, and other sensitive health data. IMY said the full scope of the breach is not yet determined, but emphasised the severity of the incident.

Sweden’s Minister for Civil Defence, Carl‑Oskar Bohlin, commented publicly on the situation. In a statement posted to X, he noted that the government takes such cyber-attacks and IT incidents very seriously and acknowledged the concern and uncertainty that victims may face.

IMY has started detailed inquiries into Miljödata and several affected organisations, including the city of Gothenburg, Älmhult municipality, and the Västmanland region. The regulator indicated it may broaden its review to other entities. Jenny Bård, Head of the Camera Surveillance Unit at IMY, said the breach “raises a number of questions about what the security looked like and what types of personal data have been stored on the systems”.

At this stage, IMY has not provided a timeline for completion of the investigation, and Miljödata has not yet publicly disclosed how the ransomware actors managed to infiltrate its systems.

The case underlines the risk posed by third-party IT providers. A single supplier breach has impacted a large number of public institutions and the health data of a significant portion of the Swedish population. Observers say this may prompt further scrutiny over how public-sector organisations select and supervise their service-providers. Because health and occupational data are highly sensitive, individuals affected may face both privacy risks and potential discrimination if the information is misused.

For the affected municipalities, the immediate challenges will include identifying which individuals are impacted, notifying them under Sweden’s data protection law, and implementing remediation and monitoring to prevent misuse. Municipal authorities that store or process the exposed data may also face reputational damage and regulatory sanctions.

Across Europe, regulators are paying close attention to such incidents. Sweden’s investigation echoes a broader concern that ransomware attacks on service providers can cascade into large-scale personal data incidents. In this instance, more than one and a half million people may already have had data made publicly available, escalating the urgency of the regulator’s response.

While investigations proceed, IMY argues that lessons must be learned and weaknesses addressed so that similar events are less likely in the future. The regulator’s focus will be on identifying potential shortcomings, such as inadequate access controls, weak supplier oversight, or delays in detecting the intrusion, that permitted the breach to spread so widely.

Affected individuals should monitor their personal accounts and relevant communications. Because health-related data is involved, they may want to check for signs of unusual contact, unexpected healthcare or insurance communications, and identity theft attempts. Public bodies and individuals alike may benefit from strengthening multifactor authentication, reviewing vendor access policies, and conducting security audits of outsourced supplier arrangements.