Region Uppsala reports personal data breach to the Swedish Authority for Privacy Protection (IMY)
(Read the Swedish version of this text)
On Monday 31/7, Region Uppsala became aware that an unauthorized person was granted access to the personal data in the ticket system that processes purchases in the UL app. The IT system was repaired on Tuesday, and the incident has been reported to the Swedish Authority for Privacy Protection (IMY).
An external party has downloaded a list of registered customers in the ticket system in the UL app. Immediately after the discovery, the individual in question contacted Region Uppsala.
The data that has been downloaded are e-mail addresses, mobile phone numbers and history of ticket purchases. However, no information about passwords, personal identity numbers, account numbers or medical transport tickets has been stored in the ticket system.
The IT system has been repaired. A notification of a personal data breach has been submitted to the Swedish Authority for Privacy Protection (IMY) because the data that has been downloaded from the system is covered by the General Data Protection Regulation (GDPR).
The incident is considered serious because we are committed to protecting our customers' privacy. “We have been able to quickly repair the IT system, and will continue working to increase security”, says Peter Samuelsson, Head of Department, Systems and Technology.
It is currently unclear how many people have been affected by the personal data breach. Region Uppsala continues to investigate the incident and will inform anyone who is affected as soon as possible, in accordance with applicable regulations.
Questions and answers
Has my password and account information been compromised?
No. Only e-mail addresses, mobile phone numbers and ticket purchases have been revealed. The system has been repaired and no data is visible any longer.
Have I been hacked?
No, neither your phone, e-mail, UL app nor any of your other accounts have been hacked. Only a system at UL has been affected by the intrusion.
Why am I getting a e-mail from UL, I haven't used the app in years?
E-mails/text messages are sent to everyone who has ever been registered in the UL app.
Why is e-mail being sent from a no reply address?
We are required by law to promptly contact anyone affected in the event of a personal data breach. In this case, the technical solution we were able to use was a no reply address. We understand that it can be difficult to determine whether the email is legitimate. We therefore refer you to UL's website where you can read more about the data breach.
I don't use the app and want to be removed from your database, what should I do?
E-mail the registrar at registrator.ktf@regionuppsala.se
Contact
If you have any questions, please contact: fragaoss@ul.se and we will respond as soon as we can. If you would prefer to talk to someone at UL's customer service, call 0771 14 14 14 between 6:00 am – 10:00 pm on weekdays and 8:00 am – 0:00 pm on weekends.
If you have any questions about data protection, you can contact Region Uppsala's data protection officer: dataskyddsombud@regionuppsala.se
Read more
Read about how Region Uppsala processes your personal data at: Personal data processing [In Swedish] (regionuppsala.se)
You have the right to file a complaint with the Swedish Authority for Privacy Protection (IMY). Refer to the Swedish Authority for Privacy Protection's website: www.imy.se
Read the notification of the incident on UL's website [In Swedish]. Notification of personal data breach (ul.se)