Technology

Sweden outsources patient-journal infrastructure to Gulf-linked owner

Regions run Cosmic while officials warn about systemic exposure

Images

Jörgen Holmlund. Pressbild. Foto: Richard Ryan Jörgen Holmlund. Pressbild. Foto: Richard Ryan Richard Ryan
Jörgen Holmlund. Pressbild.Bild: Richard Ryan Jörgen Holmlund. Pressbild.Bild: Richard Ryan Richard Ryan
Politiker påstås inte ha tagit sitt ansvar i köpet av Cosmic Politiker påstås inte ha tagit sitt ansvar i köpet av Cosmic dagensmedicin.se
Bugg efter bugg – hör vårdpersonalens upplevelser av journalsystemet Cosmic. Foto: Hjalmar Fredbo/SVT Bugg efter bugg – hör vårdpersonalens upplevelser av journalsystemet Cosmic. Foto: Hjalmar Fredbo/SVT Hjalmar Fredbo/SVT

Sweden’s healthcare bureaucracy is centralising ever more sensitive data into a few mega-systems, then acting surprised that the resulting single points of failure attract geopolitical attention.

According to Sveriges Radio, relayed by Aftonbladet, roughly nine Swedish regions use the electronic health record platform Cosmic, built by Swedish vendor Cambio. In 2019, Cambio was acquired by Investcorp, an investment firm whose ownership is described as having connections to Qatar and Saudi Arabia. Intelligence expert Jörgen Holmlund tells SR that Sweden should revisit the contractual setup and demand new security guarantees. Data-protection specialist Monika Wendleby adds the corporate-law reminder: a local subsidiary may be Swedish, but it still answers to its parent.

Cambio’s response is the standard compliance incantation: no Swedish patient data is handled outside the EU, and Investcorp has no access to Cambio’s systems, its press office says. That may be true in a narrow technical sense. The question is not whether a database is physically located in Frankfurt or Falun; it’s whether Sweden is building a healthcare operating model where the blast radius of any compromise—technical, legal, political, or simply managerial—becomes national by design.

At the same time, the state is busy policing the other side of the welfare ledger with equal zeal and similarly perverse incentives. SVT Öst reports that Linköping municipality has filed a police report against private provider Lilja Assistans after its “established routines” flagged suspected incorrect invoicing. The municipality has terminated the contract and will take over the personal assistance from May 4.

Together, the two stories point to the Swedish administrative instinct: standardise everything, then enforce the standard with threats. When the state (and its regional/municipal appendages) mandates a small set of platforms and reimbursement logics, it doesn’t just reduce “fragmentation.” It also turns fraud into an engineering problem—find the loophole in the billing model—and turns cybersecurity into a systemic risk—compromise the platform, compromise everyone.

The political sales pitch is that centralisation enables control. It concentrates liability while dispersing accountability. Regions sign long contracts, municipalities chase invoices, and citizens are told to trust that “the EU” is a sufficient security perimeter—until the next procurement scandal, breach, or jurisdictional surprise.

If Swedish healthcare is going to be run like a national utility, it should be treated like one: genuine vendor diversity, transparent threat modelling, and the freedom for regions and providers to choose architectures that fit their risk profiles—rather than being herded into the same software monoculture and then blamed when the predictable happens.