Vancouver, BC - The Open Privacy Research Society has discovered that the sensitive medical information of patients being admitted to certain hospitals across the Greater Vancouver Area is being broadcast, unencrypted, by hospital paging systems, and that these broadcasts are trivially interceptable by anyone in the Greater Vancouver Area.
The data being broadcast includes the patients name, age, gender marker, diagnosis, their attending doctor and room number. Other broadcasts regarding medical tests such as x-rays are often associated with a patients last name or medical number, exposing their progression through hospital departments. Some broadcasts appear to contain freeform text, allowing other sensitive information to be entered as well. We have been able to confirm the authenticity of this data by cross-referencing records with public obituaries.
Open Privacy immediately began responsible disclosure of this issue with Vancouver Coastal Health (VCH) in November 2018. After several attempts at contact we were informed in a brief email in December 2018 that the issue had been escalated. After several months with no follow up, and with the breach still ongoing, Open Privacy made the decision to contact journalists & begin public disclosure of the existence of this breach in an attempt to inform the public while minimizing the potential harm. We provide a full disclosure timeline along with this press release.
A Note on Patient Safety & Security
As of the writing of this press release, the breach is still ongoing. Open Privacy has made the decision not to release specific details of the broadcast frequency and demodulation methods needed to exploit this breach, but we warn that such information is readily available online, and anyone with a $20 software-defined radio and some time would likely be able to rediscover what we have (and may have already done so).
Response from Vancouver Coastal Health
It was only after Open Privacy disclosed details of this breach to a journalist who subsequently contacted Vancouver Coastal Health that we received responses & further questions about this breach from VCH. In addition we also contacted the Office of the Information & Privacy Commissioner in B.C. and have since co-operated in their investigation into this breach.
VCH informed us that they had undertaken an investigation after our initial report, but that the system under investigation “was deemed secure as it was sent to specific pager devices and didn’t seem to rely on any radio connection” and that their “investigation findings leads us to believe that patient information is protected and not being intercepted.”
Two weeks ago, after Open Privacy clarified multiple misconceptions around pager operations, and provided heavily redacted samples to VCH, we received confirmation of this breach from the General Counsel / Chief Privacy Officer at Vancouver Coastal Health. This confirmation, however, was also coupled with a denial of the seriousness of the breach of patient privacy & security:
VCH takes patient privacy very seriously and is actively working to mitigate the privacy risks you have identified. Please note, however, that VCH has no information to suggest that patient information has been compromised or used for a malicious purpose.
We wish to clarify that in our communications with VCH their privacy office has stated that VCH was unaware of the radio broadcasting component of the pager system(s) in question until several weeks ago, indicating that the system’s opaqueness is an obstacle to understanding it. This opaqueness applies equally to the messages broadcast unencrypted over the airwaves: the system does not (and cannot) log access to the data by third parties, so any malicious interception would be passive and undetectable by nature.
Where this impacts patient safety and security, it is simply impossible for anyone to state that no compromise has occurred. In a hypothetical scenario wherein multiple malicious actors accessed every patient record ever broadcast, it would thus remain the case that VCH has “no information to suggest that patient information has been compromised or used for a malicious purpose.”
Questions that Vancouver Coastal Health must Answer
We cannot say for certain how many patients have been impacted by this breach. We suspect that this breach has likely been on going for several years. We have asked that VCH answer the following questions related to this breach:
- How many patients’ information has been broadcast to date in this breach?
- When were the legacy pager systems installed?
- Can a patient determine if their individual information was broadcast in the breach? If so, how?
- As some of the pager messages appeared to contain unstructured text data, is there any mechanism for patients to inquire what non-standard information in particular of theirs was broadcast unencrypted? If so, how?
- How many VCH patients continue to have their personal information broadcast unencrypted on a daily basis?
- Have any mitigations, such as shutting down these systems or limiting what information is entered into the insecure paging system, been put in place?
- How and when does VCH plan on notifying patients whose information was broadcast?
- As you have indicated that this breach will not be remedied in the immediate future, will VCH be informing current & new/incoming patients that their personal information will be broadcast unencrypted by the legacy paging system(s)? If so, how, and will patients be given an option to opt out of having their information breached?
Below we provide a timeline of emails, phone calls and in person meetings related to this data breach. As of the drafting of this press release the data breach is still active and ongoing.
- 2018-11-11: Open Privacy staff members discover the patient data broadcasts while working on an unrelated radio project.
- 2018-11-12: Sarah Jamie Lewis reaches out to Vancouver Coastal Health Privacy Office (VCH-P) with information about the breach.
- 2018-11-19: Sarah Jamie Lewis reaches out again to VCH-P after receiving no response.
- 2018-11-19: VCH-P replies “The previous email has been received by VCH Privacy and earmarked for further review.”
- 2018-11-29: Open Privacy staff confirm that sensitive medical information is still being broadcast and reaches out to VCH-P for further information on a mitigation timeline.
- 2018-11-30: VCH-P confirm that the issue “has been escalated to [their] Director of Client Relations and Risk Management to investigate”
- 2018-11-30: Sarah Jamie Lewis asks for clarification on who occupies the role of Director of Client Relations and Risk Management, this email goes unanswered.
- 2019-02-26: Open Privacy staff confirm that patient data is still being broadcast unencrypted.
- 2019-02-27: Sarah Jamie Lewis arranges a meeting with a journalist regarding the breach.
- 2019-03-04: Sarah Jamie Lewis meets with two journalists and demonstrates the pager breach. This meeting was not recorded and this meeting is never followed up on.
- 2019-07-23: During an interview with journalist Francesca Fionda, on Open Privacy’s research into Swiss election systems, Sarah Jamie Lewis discusses the pager breach.
- 2019-08-01: Sarah Jamie Lewis meets with Francesca Fionda for an interview about the pager breach. During this interview Sarah demonstrates the patient data breach (No information is recorded or transferred, and is discarded immediately).
- 2019-08-14: In response to a phone call from Francesca Fionda, VCH-P email Sarah Jamie Lewis, “We are committed to ensuring our clients’ privacy is upheld. At this time, we have not identified any paging system used at VGH that compromises client privacy. Our investigation findings leads us to believe that patient information is protected and not being intercepted.” In this email VCH-P also ask for more information to help determine the nature of the breach.
- 2019-08-14: Sarah Jamie Lewis discloses the full nature of the breach to the Open Privacy board of directors.
- 2018-08-15: Open Privacy staff confirm that patient data is still being broadcast unencrypted.
- 2019-08-15: Sarah Jamie Lewis responds to VCH-P with more information regarding the hardware & software that could be used to capture patient medical data.
- 2019-08-15: Sarah Jamie Lewis reaches out to the Office of the Information and Privacy Commissioner for B.C. (OIPC), offering to help aid any investigation they wish to undertake in regards to this data breach.
- 2019-08-18: OIPC schedule a meeting with Sarah Jamie Lewis.
- 2019-08-19: Sarah Jamie Lewis discloses details about the breach to OIPC.
- 2019-08-20: Open Privacy is notified that OIPC has referred the case to their Investigations team.
- 2019-08-20: VCH-P responds to Sarah Jamie Lewis and requests examples of interceptable messages and other additional details.
- 2019-08-20: Sarah Jamie Lewis provides heavily redacted samples to VCH-P.
- 2019-08-23: Sarah Jamie Lewis speaks to an Investigator from OIPC regarding the breach.
- 2019-08-28: Sarah Jamie Lewis receives an email with a confirmation of the breach, and two questions from VCH General Counsel & Chief Privacy Officer
- 2019-09-04: Sarah Jamie Lewis responds to questions from VCH General Counsel & Chief Privacy Officer, and confirms that Open Privacy has securely deleted all logs that were found to contain patient health records.
- 2019-09-09: Publication of this press release
Media requests should be directed to firstname.lastname@example.org.
Sarah Jamie Lewis
Executive Director, Open Privacy Research Society