IMY Fines Trygg-Hansa SEK 35 Million for Data Exposure

IMY News (Sweden DPA)

Filed September 5th, 2023

Detected February 11th, 2026

Summary

The Swedish Authority for Privacy Protection (IMY) has issued an administrative fine of SEK 35 million against Trygg-Hansa. This action follows a data exposure incident where information for 650,000 customers was accessible to unauthorized persons via the internet for over two years.

View original document View source feed page

What changed

The Swedish Authority for Privacy Protection (IMY) has imposed a significant administrative fine of SEK 35 million on the insurance company Trygg-Hansa (formerly Moderna Försäkringar). The fine stems from a data security incident that resulted in the personal data of approximately 650,000 customers being accessible to unauthorized individuals via the internet between October 2018 and February 2021. The exposed data included sensitive personal information such as health details, financial information, social security numbers, and insurance holdings, which IMY deemed to be of a fundamental nature and a failure to implement appropriate technical security measures.

This enforcement action highlights the critical importance of robust data security for financial institutions. Regulated entities, particularly insurers, must review their data handling and security protocols to ensure compliance with data protection regulations. While no specific compliance deadline is mentioned for Trygg-Hansa's remediation, the substantial fine underscores the severe consequences of inadequate security measures, including potential reputational damage and significant financial penalties for non-compliance.

What to do next

Review data security measures for customer information.
Assess technical controls for preventing unauthorized access to sensitive data.
Ensure compliance with data protection regulations regarding data accessibility and security.

Penalties

SEK 35 million administrative fine

Source document (simplified)

Svensk version Listen

Administrative fine of SEK 35 million against Trygg-Hansa

Published: 5 September 2023 Trygg-Hansa's security flaws have meant that information about 650,000 customers has been accessible to unauthorized persons via the internet. The Swedish Authority for Privacy Protection (IMY) is now issuing an administrative fine of SEK 35 million against the company. After receiving a tip, IMY started an investigation of the insurance company Trygg-Hansa (then Moderna Försäkringar). The person who contacted IMY had received an email from the company with a link to a web page with price quotes. On this web page, there were clickable links with URLs that led to documents with insurance information. However, the person noticed that it was possible to access other policyholders' documents, without any kind of login, by simply replacing a few numbers in the web link.

– The documents that have been accessible to unauthorized persons have in some cases contained sensitive personal data, including information about health that also had a high level of detail, so that it was possible to find out, for example, how a health problem arose or details about a health condition. All in all, the large amount of personal data has made it possible to create a clear picture of a person's private circumstances, says Evelin Palmér, legal advisor at IMY.

Possible to access data for more than two years

IMY's supervision has shown that it was possible to access customer data for 650,000 customers during the period October 2018 to February 2021. Among the customer data, in addition to data on health, there is also other data such as financial information, contact details, social security numbers and insurance holdings.

In its decision, IMY states that the deficiencies have been of such a fundamental nature that Trygg-Hansa should have had the opportunity to discover and remedy these even before the relevant IT system was introduced and in any case during the long period that the system was used.

IMY concludes that Trygg-Hansa has not taken appropriate technical measures to ensure a level of security that is appropriate in relation to the risk. The authority therefore issues an administrative fine of SEK 35 million against the company.

Clarification

The security deficiency that IMY has found in the current case was at the insurance company Moderna Försäkringar. IMY clarifies that Moderna Försäkringar has subsequently, in April 2022, merged with Trygg-Hansa and in connection with that changed its name to Trygg-Hansa.

Latest update: 5 September 2023 Print Page labels Data protection, Tillsyn