Loading articles...

'It's angering': BC's privacy watchdog investigating claims patient info compromised at Vancouver Hospitals

Last Updated Sep 9, 2019 at 5:09 pm PDT

(Photo credit: Dustin Godfrey for NEWS 1130)
Summary

The Office of the Information and Privacy Commissioner has opened an investigation

Open Privacy Research Society says the problem is the way hospitals and departments are sharing patient information

Vancouver Coastal Health says it's working with investigators at the Office of the Information and Privacy Commissioner

VANCOUVER (NEWS 1130) — Some of your most private and sensitive health information may be compromised when you visit Vancouver hospitals, according to a non-profit privacy advocacy group.

The allegations are serious and legitimate enough that the Office of the Information and Privacy Commissioner has opened an investigation.

Open Privacy Research Society says the problem is the way hospitals and departments are sharing patient information with each other. Executive Director Sarah Jamie Lewis says they use paging systems which essentially broadcast the data — unencrypted — through radio waves.

“Patient names, gender, date of birth, diagnosis, their doctor, the room number that they’re in, is being broadcast by paging messages,” she tells NEWS 1130. “Anybody with a laptop and a $20 [device] can effectively get a livestream of patient health information from Vancouver hospitals.”

The device is a software defined radio, which can be the size of a USB drive and plugged into a laptop.


“It’s written communications, it’s structured communication, which is how we know it’s coming from computers and not from individual people. It’s systemic, so we’re seeing as patients are being admitted to the hospital, they’re being assigned a bed,” she adds.

“We’ve been able to cross-correlate various patient names and hospital dates of admittance with public obituaries.”

Lewis says the group made the discovery almost a year ago by accident and while they notified Vancouver Coastal Health soon after, she claims they didn’t take it seriously for several months.

“Health data is one of the most sensitive collections of data that we generate as a society and to have it being treated so recklessly, it’s angering,” she adds. “It is angering that this data is still out there, and there has been very limited response or very limited care that’s gone into fixing this.”

While the group isn’t releasing specific details of the broadcast frequency and demodulation methods needed to exploit the breach Lewis says the information is readily available online.

We take breaches of privacy extremely seriously

In a statement, Vancouver Coastal Health says it’s working with investigators at the Office of the Information and Privacy Commissioner of BC on the appropriate response to the issues raised.

“Vancouver Coastal Health has clear privacy protocols to protect patient information and we take breaches of privacy extremely seriously. We have as no information to suggest private patient information has been used in any malicious way,” says the statement.

“We are constantly looking for better ways to protect patient information and those measures will improve with new technology.”

Since the investigation is now active, the Office of the Information and Privacy Commissioner of BC says it can’t disclose further details.


Lewis says to avoid a potential health breach, Vancouver Coastal Health should be moving away from transmitting the data in plain text and move towards a more secure messaging system.

“As someone who has been treated at Vancouver hospitals in the past and know people who’ve been treated, its a little disconcerting to know my info was possibly broadcast over Vancouver for anybody to pick-up,” she adds.