Ransomware attack on Swedish IT Provider Miljödata dirupts hundreds of municipalities

A ransomware attack on Miljödata, a critical Swedish IT service provider, has paralyzed digital systems across hundreds of Swedish municipalities, regions, universities, and private organizations, exposing sensitive employee health information and creating one of the largest cybersecurity incidents in Swedish municipal government history. 

Miljödata provides software solutions for managing sick leave, rehabilitation cases, work-related injuries, and various HR reporting functions across Sweden's public sector. The systems are used by 80 percent of Sweden's municipalities, making this incident a critical threat to Sweden's local government operations and employee data security. Sweden has 290 municipalities and 21 regions.

The attack was detected on Saturday, August 24, 2025, according to the company's chief executive Erik Hallén. The compromised systems contain highly sensitive information:

• Medical certificates
• Rehabilitation plans and case files
• Work-related injury reports and documentation
• Employment law case records
• Incident and work environment reporting data
• Systematic work environment management (SAM) information
• Sensitive personal health information about current and former employees
• Student data from affected educational institutions

Approximately 250 customers of Miljödata have reported to the Swedish Authority for Privacy Protection (IMY) that they have been affected, including at least 164 municipalities and four regions. A number of private companies, colleges and universities that have also been affected. The number of affected individuals has not been disclosed but could potentially number in the hundreds of thousands.

The attack has prompted a comprehensive coordinated response from Swedish national security and cybersecurity authorities. Swedish Minister for Civil Defence Carl-Oskar Bohlin wrote on social media: "The scope of the incident has not yet been clarified, and it is too early to determine the actual consequences." The government is receiving ongoing information about the incident and is in close contact with the relevant authorities.

The National Cyber Security Center (NCSC) is currently devoting significant resources to assessing the extent of the cyber attack, but the work of assessing the damage is described as difficult because the affected computers are heavily encrypted by the attackers' ransomware.

Update - As of 9th of September 2025, the cyberattack is confirmed to have exposed personal data of over 40,000 City of Stockholm municipal employees. “An attacker has accessed personal data on all employees of the City of Stockholm,” read an internal communication sent to staff, as reported by the Mitti newspaper.

As of 16th of September 2025, Sweden's prosecution authority said on Tuesday the personal data of 1.5 million people had been leaked online after the cyberattack.

As of 25th of September 2025, affected private sector organizations are listed to include companies like as Scandinavian Airlines (SAS), metals company Boliden, and Volvo Group North America. Educational institutions impacted include the University of Borås, Linköping University, Lund University, Örebro University, and the Swedish University of Agricultural Sciences.