Information about a personal data breach in the National Vaccination Register

The Public Health Agency of Sweden is currently handling a case in which, among other things, personal data about vaccinations against COVID-19 may have been disclosed in July 2022.

The personal data is from the Public Health Agency of Sweden’s National Vaccination Register, to which the country’s regions report administered vaccinations. The Public Health Agency of Sweden is responsible for all data in the National Vaccination Register.

The Public Health Agency of Sweden is treating the incident as a personal data breach.

Brief description of the sequence of events

On 8 July 2022, the Public Health Agency of Sweden was made aware that data about children’s vaccinations against COVID-19 had been published on a website. On 11 July 2022, a suspicion arose that the data came from the agency’s National Vaccination Register. As a result of the incident, the Public Health Agency of Sweden took a number of actions, including filing a police report and reporting the personal data breach to the Swedish Authority for Privacy Protection.

Charges have now been brought against a suspected perpetrator. The person being prosecuted was hired as an IT consultant by the Public Health Agency of Sweden, via a consulting company. According to the indictment, the consultant intentionally disclosed personal data that the consultant, in their role at the Public Health Agency of Sweden, was obliged to keep secret.

After taking part in the investigations, the agency assesses that there is a risk that the entire National Vaccination Register may have been disclosed in connection with the incident. From a data protection perspective, disclosure means that there is a risk that the data has been copied and moved to a location where it is beyond the agency’s control. No one need actually have accessed, read, or shared the information in order for it to be considered disclosed.

There is currently no indication that the information has been disseminated, but this cannot be ruled out, either.

FAQ about the National Vaccination Register (folkhalsomyndigheten.se) (in Swedish)

We confirm that the data that may have been disclosed include:

  • personal identity number
  • the dose of the administered vaccine
  • date of vaccination
  • product (the vaccine that has been administered and the so-called batch number)
  • region and county where the vaccination was carried out
  • health centre or equivalent
  • e-mail address of the region’s contact person.

What happens next?

The police investigation has now been completed, and the Swedish Prosecution Authority has brought charges against a suspected perpetrator. The trial is scheduled to begin towards the end of April 2024.

The Public Health Agency of Sweden regrets the incident and the consequences it may entail for individuals.

How the Public Health Agency of Sweden processes personal data

The website of the Public Health Agency of Sweden provides information on how the agency processes personal data. The Swedish Authority for Privacy Protection is the authority that supervises the processing of personal data. If you are dissatisfied with how the Public Health Agency of Sweden processes your personal data, you can submit a complaint to the Swedish Authority for Privacy Protection.

How the Public Health Agency of Sweden processes personal data (folkhalsomyndigheten.se) (in Swedish)

Complain about incorrect processing of your personal data (imy.se)

The Public Health Agency of Sweden’s Data Protection Officer can be reached via this e-mail address: dataskyddsombud@folkhalsomyndigheten.se