VANCOUVER (NEWS 1130) — Some of your most private and sensitive health information may be compromised when you visit Vancouver hospitals, according to a non-profit privacy advocacy group.
The allegations are serious and legitimate enough that the Office of the Information and Privacy Commissioner has opened an investigation.
Open Privacy Research Society says the problem is the way hospitals and departments are sharing patient information with each other. Executive Director Sarah Jamie Lewis says they use paging systems which essentially broadcast the data — unencrypted — through radio waves.
“Patient names, gender, date of birth, diagnosis, their doctor, the room number that they’re in, is being broadcast by paging messages,” she tells NEWS 1130. “Anybody with a laptop and a $20 [device] can effectively get a livestream of patient health information from Vancouver hospitals.”
The device is a software defined radio, which can be the size of a USB drive and plugged into a laptop.
Since its investigation is active, @BCInfoPrivacy says it can’t disclose more details.
In a statement, @VCHhealthcare says it’s working with BC’s privacy watchdog on the “appropriate response to the issues raised.”
Details on air at @NEWS1130. Full online story coming soon. pic.twitter.com/MUt7Zv7Vmy
— Monika Gul (@MonikaGul) September 9, 2019
“It’s written communications, it’s structured communication, which is how we know it’s coming from computers and not from individual people. It’s systemic, so we’re seeing as patients are being admitted to the hospital, they’re being assigned a bed,” she adds.
“We’ve been able to cross-correlate various patient names and hospital dates of admittance with public obituaries.”
Lewis says the group made the discovery almost a year ago by accident and while they notified Vancouver Coastal Health soon after, she claims they didn’t take it seriously for several months.
“Health data is one of the most sensitive collections of data that we generate as a society and to have it being treated so recklessly, it’s angering,” she adds. “It is angering that this data is still out there, and there has been very limited response or very limited care that’s gone into fixing this.”
While the group isn’t releasing specific details of the broadcast frequency and demodulation methods needed to exploit the breach Lewis says the information is readily available online.
We take breaches of privacy extremely seriously
In a statement, Vancouver Coastal Health says it’s working with investigators at the Office of the Information and Privacy Commissioner of BC on the appropriate response to the issues raised.
“Vancouver Coastal Health has clear privacy protocols to protect patient information and we take breaches of privacy extremely seriously. We have as no information to suggest private patient information has been used in any malicious way,” says the statement.
“We are constantly looking for better ways to protect patient information and those measures will improve with new technology.”
Since the investigation is now active, the Office of the Information and Privacy Commissioner of BC says it can’t disclose further details.
.@OpenPriv says the issue is the way patient information is shared between hospitals and departments.
They use paging systems that essentially broadcast the data — unencrypted — through radio waves.
Anyone with the know-how, some money, and google can access this.
— Monika Gul (@MonikaGul) September 9, 2019
Lewis says to avoid a potential health breach, Vancouver Coastal Health should be moving away from transmitting the data in plain text and move towards a more secure messaging system.
“As someone who has been treated at Vancouver hospitals in the past and know people who’ve been treated, its a little disconcerting to know my info was possibly broadcast over Vancouver for anybody to pick-up,” she adds.