Sweden centralizes patient records in Cosmic while policing welfare contractors

Linköping municipality has reported a personal-assistance provider to police for suspected billing fraud, while Swedish Radio and Aftonbladet report that millions of patient records in nine regions are handled in Cosmic, the dominant electronic health record system built by Cambio—owned since 2019 by Investcorp, an investment firm with Gulf state ties.

On the local side, SVT Öst reports that Linköping terminated its contract with Lilja Assistans and will take over the assistance provision from May 4 after what the municipality describes as “established routines” flagged potentially incorrect invoicing. The municipality has also sought penalties and escalated to a police report, effectively turning procurement monitoring into a quasi-law-enforcement pipeline.

On the national side, Sveriges Radio’s reporting—summarized by Aftonbladet/TT—highlights that Cosmic is owned through Cambio by Investcorp, whose ownership structure is linked to Qatar and Saudi Arabia. Intelligence expert Jörgen Holmlund argues the contract terms and security guarantees should be revisited. Data-protection specialist Monika Wendleby warns that even if Cambio operates in Sweden, a subsidiary ultimately answers to its parent company.

Cambio, for its part, says no Swedish patient data is handled outside the EU and that Investcorp has no access to its systems.

The two stories are usually treated as separate genres—one about “welfare fraud,” the other about “foreign influence.” But together they describe the Swedish model’s real architecture: a public-private machine where sensitive patient data and taxpayer money flow through layers of contractors, platforms, and ownership vehicles, while the state simultaneously outsources service delivery and expands surveillance and audit functions to compensate for the loss of direct control.

That creates a predictable triad of risks.

First, a larger attack surface. Centralized record platforms become critical infrastructure by default, yet procurement incentives reward feature delivery and vendor lock-in more than verifiable security properties. When ownership chains cross borders, political risk becomes a technical parameter—whether or not any data “leaves the EU.”

Second, a larger fraud margin. Assistance services are paid per hour and documented through administrative traces that are easy to generate and hard to audit in real time. Municipal “routines” detect anomalies after the money has moved; police reports become the remedial tool.

Third, a fog of accountability. If something goes wrong—data exposure, service failure, or systematic overbilling—responsibility is distributed across the municipality, the contractor, the platform vendor, and the platform’s owners. The only actor guaranteed to remain on the hook is the taxpayer, who also gets the privilege of being logged.

The policy reflex is already visible: more logging, more cross-register checks, more centralized platforms, and fewer areas where patients and citizens can simply be left alone. Sweden is building a high-trust welfare state with low-trust plumbing—and it requires constant monitoring to keep itself upright.