VANCOUVER -- Paging systems used across B.C. could be exposing sensitive health data of patients, and the privacy researcher who first discovered the data breach believes it鈥檚 likely happening across the country.
鈥淚 wouldn鈥檛 be surprised to find this everywhere in Canada,鈥 said privacy researcher Sarah Jamie Lewis, in an interview with CTVNews.ca in Vancouver. Lewis first discovered and reported the breach to Vancouver Coastal Health in November 2018. Now, internal emails released this month through a Freedom of Information request show that the vulnerability is not limited to Vancouver.
Lewis accidentally came across an unencrypted radio frequency that was broadcasting sensitive patient data using a small antenna that can be purchased for less than $30 online.
In August, she was interviewed by the investigative podcast and demonstrated how she was able to hook up an antenna to her laptop and tune in to an unencrypted frequency used by VCH and other health authorities for patient transport.
It only took a few minutes before sensitive patient data that included patient names, ages, medical conditions and hospital room numbers began popping up on her screen. In one instance, Lewis came across patient data that detailed the name, age and hospital room number of a gunshot wound victim.
鈥淚 know there are a variety of situations from domestic violence and LGBTQ people and sex workers who may be getting treated for a variety of things and may be telling their doctors things in confidence,鈥 said Lewis, the executive director of , a non-profit research organization focused on privacy for marginalized communities.
Lewis reported the breach to VCH in November 2018, but little was done by the health authority to follow up with her and ultimately address the vulnerability in the paging system. A few emails were exchanged between VCH鈥檚 client relations and risk management team and the privacy team about Lewis鈥 concerns. They were unable to identify the breach internally and did not follow up with Lewis to clarify what she had discovered.
Patient data continued to be broadcast on the unencrypted frequency for ten months until Lewis decided to go public with her findings in August 2019 and report the breach to the media.
After the breach was made public, Lewis filed an FOI for internal emails detailing VCH's response to the breach. The request asks for documents going back to when Lewis first reported it in November 2018 to the about the breach that was published by Attention Control on CTVNews.ca in September 2019.
The emails suggest that an internal miscommunication allowed this breach to go on, without follow up, for almost a year; and that the health authority only seriously started looking into the breach after Attention Control started asking questions about the breach in mid-August. Since then, VCH said they have made to protect patient privacy.
VCH declined an interview and provided an email statement that said, in part, their health authority 鈥渉as clear privacy protocols to protect patient information and we take breaches of privacy extremely seriously.鈥 They also said they recently made changes to their systems to limit patient information sent through paging broadcasts and are working with B.C.鈥檚 Office of the Information and Privacy Commissioner as they 鈥渕ove to alternate technologies.鈥
鈥楿nfortunately, this vulnerability is not limited鈥 to Vancouver, internal emails confirm
The Office of the Information and Privacy Commissioner for B.C. is now investigating the breach at VCH and has also asked health authorities across the province to look into the security of their paging systems.
In an email dated August 29, 2019 sent to the health authorities across B.C., VCH wrote, 鈥淲e鈥檝e been made aware of a vulnerability in our paging system where media is involved. Unfortunately, this vulnerability is not limited to VCH. The same situation may exist at other health authorities.鈥 The email also encouraged health authorities to contact the provincial privacy commissioner if they were using similar paging technology.
Fraser Health, Island Health, Provincial Health Services Authority (PHSA) and Providence Health Care (PHC) have or had similar paging systems to VCH and are working with B.C.鈥檚 Information and Privacy Commissioner to address these issues. VCH, Fraser Health and Island Health serve approximately 3.8 million people across the province.
Fraser Health, B.C.鈥檚 largest health authority, serves more than 1.8 million people and sees over 1,900 patients every 24 hours in their emergency rooms. In an email, Fraser Health wrote it is 鈥渁ware of concerns with the existing pager system鈥 and it takes 鈥減atient privacy matters seriously.鈥 The health authority is 鈥渢aking steps to mitigate potential privacy breaches and consulting with the Office of the Information and Privacy Commissioner as we move to alternative technologies.鈥
PHSA it 鈥渉as limited usage of paper technology鈥 and where pagers exist, said sensitive information has been 鈥渓imited and/or removed鈥 and 鈥減lans are underway to replace pager technology.鈥 PHC said that 鈥渇ewer than 1 per cent of transmitted pager messages are alphanumeric and that it 鈥渋s constantly looking for better ways to protect patient information.鈥 They also said they 鈥渉ave no information to suggest private patient information has been used in any malicious way.鈥
Island Health said their primary paging system is encrypted but did identify 194 alpha numeric pagers. They say their policy is that these pager transmissions 鈥渘ot include personal information, including patient names鈥. Interior Health said their limited number of 鈥減agers that could potentially be used to transmit patient data鈥 have been decommissioned after an internal review. Northern Health and First Nations Health Authority said they do not use pager technology to transmit patient data.
Across Canada, paging technology is still used in some health authorities for patient transfers or direct messaging between doctors and nurses. Steps are being taken in some regions to improve the security of this technology or phase it out. Health PEI doesn鈥檛 use pagers anymore. London Health Sciences Centre and St. Joseph鈥檚 Health Care London in London, Ontario are transitioning to an encrypted-web based technology.
No requirements to report health data breaches a problem: privacy commissioner
鈥淥ne thing this draws into clear focus is the need for something that I've been calling for, for some time,鈥 says B.C.鈥檚 Information and Privacy Commissioner Michael McEvoy, 鈥渨hich is the need for public and private bodies, to have an obligation to report breaches, both to my office, and to the individuals involved, where there's a real risk of significant harm that might result from such a breach.鈥
The legislation around whether or not a public body has to report a breach to the provincial privacy commissioner varies across the country. In B.C., Quebec and Manitoba there are no mandatory data breach reporting laws for public bodies or health custodians, meaning there is no requirement for health authorities to report breaches to the privacy commissioner or to the people affected.
鈥淭he kind of information we're talking about here is the most sensitive information that British Columbians have,鈥 said McEvoy.
In Ontario, where there are mandatory data breach reporting laws for health custodians, a similar breach regarding an unencrypted paging system was reported in March 2019. The Office of the Information and Privacy Commissioner of Ontario said in an email that, after the breach was reported, 鈥渢he hospital immediately stopped transmitting identifiable patient information through its pagers, unless it is necessary for patient safety,鈥 and 鈥渃ommitted to reviewing its practices on the use of pagers, highlighting the risks of using pagers in its privacy training, and is considering the use of encrypted pagers.鈥
McEvoy鈥檚 team is hoping to work with the health authorities here in B.C. to identify any possible vulnerabilities, stop it, figure out how to fix it and assess if individuals need to be notified.
For Lewis, she鈥檚 hoping this incident will spur policy changes across the country that protect patient privacy as technology continues to evolve. 鈥淚'm hoping the other privacy authorities in Canada take note and ask their own health authorities for information regarding these kinds of breaches,鈥 said Lewis. 鈥淎nd I'm hoping that that will inform technical policy going forward and we won't see the same mistakes being made in the next 10 years when new technology comes in.鈥
Edited by CTVNews.ca producer Phil Hahn; Map by Jesse Tahirali
Backstory:
This story is part of five months of coverage stemming from a tip from privacy researcher Sarah Jamie Lewis. She disclosed to reporter Francesca Fionda that a massive data breach was happening in Vancouver exposing sensitive health information.
Francesca began publishing stories and the for Attention Control and CTVNews.ca in September 2019.
The primary source for this story is a 369 page Freedom of Information request requesting internal documents and emails from Vancouver Coastal Health about the data breach between November 1, 2018 to September 9, 2019.
Fionda reached out to all the health authorities in B.C. for details on how they are keeping patient data secure via paging technologies. If you want to read their responses in full you can find them here. She also reached out to all the provincial privacy commissioners and ombudspersons across Canada to confirm if any similar data breaches have been reported in their communities and spoken with experts in privacy and health technology.
