The audio recordings of 2.7 millions calls made to 1177 Vårdguiden — Sweden’s healthcare hotline — were left exposed to anyone online, according to Swedish tech publication Computer Sweden.

The 170,000 hours of incredibly sensitive calls were stored on an open web server without any encryption or authentication, leaving personal information completely exposed for anyone with a web browser.

Phone calls to the MEDICALL help service were stored as WAV audio files on an unsecured server. Picture via @b9AcE. pic.twitter.com/KlkPmvORft — @mikko (@mikko) February 18, 2019

Computer Sweden listened to some of the recordings after having made efforts to limit exposure, i.e. waiting for the site to be secured. The calls included sensitive information about patients’ diseases and ailments, medication, and medical history. Some examples had people describing their children’s symptoms and giving their social security numbers.

Some of the files include the phone numbers the calls were made from. Around 57,000 numbers appear in the database and many of those are the callers’ personal numbers, making it easy to match information with a particular person.

It’s still unclear how long the calls were available for, who’s to blame for the breach, and whether any bad actors have already accessed the information.

However, it seems the leaked calls were all made to 1177 Vårdguiden’s subcontractor Medicall — a Thailand-based company owned by Swedes. When asked about the breach, Medicall CEO Davide Nyblom denied it happened despite the overwhelming contradictory evidence.

The scale and incompetence of the data breach is dumbfounding and it’s more than likely an investigation will be launched into the matter — especially considering GDPR‘s clear stance on how personally identifiable information should be handled.

Read next: What big cities can learn from the small Swiss town with a driverless bus