Vancouver, BC - The Open Privacy Research Society has received an update from Vancouver Coastal Health (VCH) after last weeks Press Release publicly disclosing that we had discovered that the sensitive medical information of patients being admitted to certain hospitals across the Greater Vancouver Area is being broadcast, unencrypted, by hospital paging systems, and that these broadcasts are trivially interceptable by anyone in the Greater Vancouver Area.
Vancouver Coastal Health have informed Open Privacy that they have removed diagnosis information from pager broadcasts:
In the meantime, just last week, we have implemented a process and system change that removes diagnosis information from the paging broadcasts, which we believe removes the most sensitive of the information that was previously contained in the messages.
While this is a great improvement for protecting patient privacy, we caution that patient name, age, gender marker, their attending doctor and room number are still being broadcast, unencrypted across Vancouver.
Vancouver Coastal Health also informed us that they do not plan on notifying patients about this breach of their medical records:
Although we are treating this as a serious vulnerability; at this point, we have no plans to notify patients whose information may have been sent to pagers in order that proper care instructions were communicated to health care professionals whose job it was to ensure appropriate and safe care to them.
We believe that all patients have a right to know if their medical records may have been compromised.
Finally, we have pushed back on statements by Vancouver Coastal Health regarding the impact of this breach:
While the questions you have raised below may be relevant to an investigation, if there has been a confirmed privacy breach; as yet, the only actual unauthorized interception of the paging broadcasts that we are aware of is when your organization received and decoded the messages as part of your research/investigation.
Since our press release last week we have received reports of other people intercepting this medical data prior to our discovery and reporting to Vancouver Coastal Health in November 2018. We have made Vancouver Coastal Health aware of these reports. These reports reassert our previous statement that it is simply impossible for anyone to state that no compromise has occurred. In a hypothetical scenario wherein multiple malicious actors accessed every patient record ever broadcast, it would thus remain the case that VCH has “no information to suggest that patient information has been compromised or used for a malicious purpose.”
We have again asked that VCH answer the following questions related to this breach:
- How many patients’ information has been broadcast to date in this breach?
- When were the legacy pager systems installed?
- Can a patient determine if their individual information was broadcast in the breach? If so, how?
- As some of the pager messages appeared to contain unstructured text data, is there any mechanism for patients to inquire what non-standard information in particular of theirs was broadcast unencrypted? If so, how?
- How many VCH patients continue to have their personal information broadcast unencrypted on a daily basis?
- Have any mitigations, such as shutting down these systems or limiting what information is entered into the insecure paging system, been put in place?
- How and when does VCH plan on notifying patients whose information was broadcast?
- As you have indicated that this breach will not be remedied in the immediate future, will VCH be informing current & new/incoming patients that their personal information will be broadcast unencrypted by the legacy paging system(s)? If so, how, and will patients be given an option to opt out of having their information breached?
Media requests should be directed to email@example.com.
Sarah Jamie Lewis
Executive Director, Open Privacy Research Society