A suspected ransomware attack targeted Miljödata, a Swedish software provider specializing in HR and sick leave management systems. The breach impacted approximately 200 of Sweden’s 290 municipal governments, disrupting critical operations tied to employee data including medical certificates, rehabilitation plans, and work-related injury records. The attackers are actively extorting the company, though the full scope of compromised data and long-term consequences remain unclear as investigations continue. Swedish authorities, including CERT-SE and the National Cybersecurity Center, are coordinating response efforts, while the government has emphasized the incident’s role in accelerating new cybersecurity legislation. The attack has forced affected municipalities to seek alternative solutions, risking delays in HR and healthcare-related administrative processes.
Source: https://therecord.media/sweden-municipalities-ransomware-software
TPRM report: https://www.rankiteo.com/company/miljodata-ab
"id": "mil727082725",
"linkid": "miljodata-ab",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': '200 municipalities and regions',
'industry': 'software (HR management)',
'location': 'Sweden',
'name': 'Miljödata',
'type': 'private company'},
{'industry': 'public administration',
'location': 'Sweden',
'name': '200 Swedish Municipalities and Regions',
'type': 'government entities'}],
'data_breach': {'personally_identifiable_information': True,
'sensitivity_of_data': 'high (personally identifiable health '
'and employment information)',
'type_of_data_compromised': ['medical records',
'rehabilitation data',
'work injury reports',
'employee HR data']},
'date_detected': '2023-11-18T00:00:00Z',
'date_publicly_disclosed': '2023-11-18T00:00:00Z',
'description': 'A suspected ransomware attack on Miljödata, a Swedish '
'software provider used for managing sick leave and HR '
'reports, has impacted around 200 of Sweden’s 290 municipal '
'governments. The attack was detected on Saturday, and the '
'attackers are attempting to extort the company. The scope and '
'consequences of the incident remain unclear as investigations '
'are ongoing. Miljödata is working with external experts to '
'restore system functionality and assess the impact. Swedish '
'authorities, including CERT-SE and the national cybersecurity '
'center, are coordinating response efforts, and a police '
'investigation is underway.',
'impact': {'brand_reputation_impact': 'potential reputational damage due to '
'widespread disruption',
'data_compromised': ['medical certificates',
'rehabilitation plans',
'work-related injuries',
'employee data'],
'identity_theft_risk': 'high (due to exposure of sensitive '
'employee data)',
'operational_impact': 'disruption of HR and sick leave management '
'for ~200 municipalities',
'systems_affected': ['HR management systems',
'sick leave reporting systems']},
'initial_access_broker': {'high_value_targets': ['municipal HR databases',
'employee health records']},
'investigation_status': 'ongoing (police investigation, CERT-SE involvement, '
'internal forensic analysis)',
'motivation': 'financial (extortion)',
'recommendations': ['implementation of upcoming Swedish cybersecurity bill',
'enhanced cybersecurity measures across public and '
'private sectors'],
'references': [{'date_accessed': '2023-11-18',
'source': 'BLT (local newspaper)'},
{'date_accessed': '2023-11-18',
'source': 'TT (Swedish press agency)'},
{'date_accessed': '2023-11-18',
'source': 'Gotland local government statement'},
{'date_accessed': '2023-11-18',
'source': 'Carl-Oskar Bohlin (Swedish Minister for Civil '
'Defence) social media update'}],
'regulatory_compliance': {'regulatory_notifications': ['CERT-SE',
'Swedish national '
'cybersecurity '
'center']},
'response': {'communication_strategy': ['ongoing updates to government '
'authorities',
'public statements via media'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['investigation into the attack',
'restoration of system functionality'],
'third_party_assistance': ['external cybersecurity experts']},
'stakeholder_advisories': ['Swedish government in close contact with affected '
'authorities',
'CERT-SE providing support to Miljödata and '
'customers'],
'title': 'Suspected Ransomware Attack on Miljödata Affecting 200 Swedish '
'Municipalities',
'type': ['ransomware', 'data breach']}