Sweden’s Privacy Protection Agency fines insurer Trygg-Hansa for exposing sensitive customer data

The following press release was issued August 30 by Sweden’s Authority for Privacy Protection (IMY):

Trygg-Hansa’s security flaws have meant that information on 650,000 customers has been accessible via the internet. The Privacy Protection Agency (IMY) is now issuing an administrative sanction fee of SEK 35 million against the company.

After receiving a tip, IMY began an inspection of the insurance company Trygg-Hansa. The tipster had received an email from the company with a link to a quote page. On the quote page, there were clickable links with URLs that led to documents with insurance information. However, the tipster noticed that it was possible to access other policyholders’ documents, without any kind of login, by simply replacing a few numbers in the web link.

– The documents that have been accessible to unauthorized persons have in some cases contained sensitive personal data, including information about health that also had a high level of detail, so that it was possible to find out, for example, how a health problem arose or details about a health condition. All in all, the large amount of personal data has made it possible to create a clear picture of a person’s private circumstances, says Evelin Palmér, lawyer at IMY.

Possible to access data for more than two years

IMY’s review has shown that it was possible to access customer data for 650,000 customers during the period October 2018 to February 2021. Among the customer data, in addition to data on health, there are also other data such as financial information, contact details, social security numbers and insurance holdings.

In its decision, IMY states that the deficiencies have been of such a fundamental nature that Trygg-Hansa should have had the opportunity to discover and remedy these even before the relevant IT system was introduced and in any case during the long period that the system was used.

IMY assesses that Trygg-Hansa has not taken appropriate technical measures to ensure a level of security that is appropriate in relation to the risk. The authority therefore issues an administrative sanction fee of SEK 35 million against the company.


The security deficiency that IMY has found in the current case was at the insurance company Moderna Försäkringar. IMY clarifies that Moderna Försäkringar has subsequently, in April 2022, merged with Trygg-Hansa and in connection with that changed its name to Trygg-Hansa.

Access the decision against Trygg-Hansa (pdf, 163 kB)

Source: Swedish Authority for Privacy

Note: SEK 35 million is equivalent to USD $3,125,290.18 at today’s conversion rate.

About the author: Dissent

Comments are closed.