Sweden’s data protection authority (DPA) issued a penalty of 35 million Swedish krona (U.S. $3.2 million) against insurance company Trygg-Hansa for alleged security flaws that made customer insurance information accessible on the internet.

The issue occurred in November 2020 at Moderna Försäkringar, which Trygg-Hansa merged with in April 2022, the company said in a translated clarifying statement. Trygg-Hansa said the issue did not affect its customers.

The details: The Swedish DPA said in a translated press release Wednesday its review, informed by a customer tip, found the data of 650,000 Moderna Försäkringar customers was left accessible from October 2018 to February 2021. The tipster “noticed that it was possible to access other policyholders’ documents, without any kind of login, by simply replacing a few numbers in the web link,” according to the regulator.

Documents exposed included data on health, financial and contact information, Social Security numbers, and insurance holdings.

The DPA found the company did not have appropriate technical measures to ensure data security in line with the requirements of the European Union’s General Data Protection Regulation.

Company response: In its statement, Trygg-Hansa said Moderna Försäkringar rectified the security gap immediately after being informed by the DPA. The control systems at Moderna Försäkringar “did not live up to the company’s high requirements for a secure IT environment that should ensure that customers’ personal data is protected,” Trygg-Hansa said.

An internal investigation at the company indicated only 202 customers were likely directly affected in a way that their data might have been exposed to unauthorized persons, according to Trygg-Hansa.