IT Consultant Convicted for Unauthorized Access to Vaccination Registry

An IT consultant has been convicted for unlawfully accessing and leaking sensitive information from Sweden's vaccination registry. The case came to light after an anti-vaccine website published a list of nearly 800 children under the age of twelve who had received COVID-19 vaccinations, including personal details such as birth dates and vaccination specifics.

The Helsingborg District Court found the consultant guilty of copying data from the registry while employed by the Public Health Agency of Sweden. The court imposed a conditional sentence and a fine of 60 daily penalties. Initially charged with data intrusion, the classification of the crime was later adjusted to a breach of confidentiality. The defendant has maintained his innocence throughout the proceedings.

Evidence presented by the prosecution included images retrieved from the consultant's mobile phone, showing the vaccination registry displayed on a computer outside of the agency's premises. The court noted that the accused was linked to both the website publishing the information and a corresponding Twitter account.

Investigations revealed that the website was operated by another individual with whom the consultant had communicated. Law enforcement also obtained logs from a social media account believed to be used by the suspect, which included discussions with a prominent figure associated with right-wing extremist circles.

The consultant's responsibilities included migrating the national vaccination registry to a new server, granting him direct access to sensitive information. According to technical assessments, the transfer of data to his personal computer coincided with this migration, resulting in a significant volume of data being sent to his IP address, sufficient to encompass the entire registry in a compressed format.

The Public Health Agency sought damages amounting to 2.4 million Swedish kronor; however, this claim was dismissed by the court. Furthermore, the children whose data were exposed will not receive any compensation.

This case has raised concerns regarding the consultant's security vetting during his recruitment process. Documentation from his hiring stated that he might handle classified information as part of his duties. It also indicated that the agency responsible for his hiring was to establish agreements and protocols for security checks when necessary. In police interviews, a lawyer from the Public Health Agency indicated that a thorough background check was conducted, but no formal security classification was performed, which is a standard procedure for individuals in sensitive roles.