Disclosure of Vancouver Patient Medical Data Pager Breach
In November 2018, Open Privacy staff members discovered data from patients admitted to Vancouver area hopsitals was being broadcast unencrypted over paging systems, making them openly available to anyone in the Great Vancouver Area with minimal equipment and expertise.
The data being broadcast included the patients name, age, gender marker, diagnosis, attending doctor and room number. Other broadcasts regarding medical tests such as x-rays are often associated with a patients last name or medical number, making their progression through hospital systems trivial to piece together. We have been able to confirm the authenticity of this data by cross-referencing this data with a public obituary.
Open Privacy immediately began responsible disclosure of this issue with Vancouver Coastal Health. However the disclosure was initially ignored, and it wasn’t until Open Privacy contacted members of the media and the Office of the Information & Privacy Commisionor in B.C. that VCH began asking technical questions regarding the breach.
This page documents the timeline and impact of that disclosure.
Below we provide a timeline of emails, phone calls and in person meetings related to this data breach. As of the drafting of this press release the data breach is still active and ongoing.
- 2018-11-11: Open Privacy staff members discover the patient data broadcasts while working on an unrelated radio project.
- 2018-11-12: Sarah Jamie Lewis reaches out to Vancouver Coastal Health Privacy Office (VCH-P) with information about the breach.
- 2018-11-19: Sarah Jamie Lewis reaches out again to VCH-P after receiving no response.
- 2018-11-19: VCH-P replies “The previous email has been received by VCH Privacy and earmarked for further review.”
- 2018-11-29: Open Privacy staff confirm that sensitive medical information is still being broadcast and reaches out to VCH-P for further information on a mitigation timeline.
- 2018-11-30: VCH-P confirm that the issue “has been escalated to [their] Director of Client Relations and Risk Management to investigate”
- 2018-11-30: Sarah Jamie Lewis asks for clarification on who occupies the role of Director of Client Relations and Risk Management, this email goes unanswered.
- 2019-02-26: Open Privacy staff confirm that patient data is still being broadcast unencrypted.
- 2019-02-27: Sarah Jamie Lewis arranges a meeting with a journalist regarding the breach.
- 2019-03-04: Sarah Jamie Lewis meets with two journalists and demonstrates the pager breach. This meeting was not recorded and this meeting is never followed up on.
- 2019-07-23: During an interview with journalist Francesca Fionda, on Open Privacy’s research into Swiss election systems, Sarah Jamie Lewis discusses the pager breach.
- 2019-08-01: Sarah Jamie Lewis meets with Francesca Fionda for an interview about the pager breach. During this interview Sarah demonstrates the patient data breach (No information is recorded or transferred, and is discarded immediately).
- 2019-08-14: In response to a phone call from Francesca Fionda, VCH-P email Sarah Jamie Lewis, “We are committed to ensuring our clients’ privacy is upheld. At this time, we have not identified any paging system used at VGH that compromises client privacy. Our investigation findings leads us to believe that patient information is protected and not being intercepted.” In this email VCH-P also ask for more information to help determine the nature of the breach.
- 2019-08-14: Sarah Jamie Lewis discloses the full nature of the breach to the Open Privacy board of directors.
- 2018-08-15: Open Privacy staff confirm that patient data is still being broadcast unencrypted.
- 2019-08-15: Sarah Jamie Lewis responds to VCH-P with more information regarding the hardware & software that could be used to capture patient medical data.
- 2019-08-15: Sarah Jamie Lewis reaches out to the Office of the Information and Privacy Commissioner for B.C. (OIPC), offering to help aid any investigation they wish to undertake in regards to this data breach.
- 2019-08-18: OIPC schedule a meeting with Sarah Jamie Lewis.
- 2019-08-19: Sarah Jamie Lewis discloses details about the breach to OIPC.
- 2019-08-20: Open Privacy is notified that OIPC has referred the case to their Investigations team.
- 2019-08-20: VCH-P responds to Sarah Jamie Lewis and requests examples of interceptable messages and other additional details.
- 2019-08-20: Sarah Jamie Lewis provides heavily redacted samples to VCH-P.
- 2019-08-23: Sarah Jamie Lewis speaks to an Investigator from OIPC regarding the breach.
- 2019-08-28: Sarah Jamie Lewis receives an email with a confirmation of the breach, and two questions from VCH General Counsel & Chief Privacy Officer
- 2019-09-04: Sarah Jamie Lewis responds to questions from VCH General Counsel & Chief Privacy Officer, and confirms that Open Privacy has securely deleted all logs that were found to contain patient health records.
- 2019-09-09: Publication of press release.
Post-Public Disclosure Timeline
- 2019-09-09: Open Privacy submits a Freedom of Information request to Vancouver Coastal Health requesting all information relating to the initial investigation which (incorrectly) concluded that there was no security issue.
- 2019-09-11 VCH Freedom of Information Office confirms receipt of the FoI request, and provides a response deadline of the 22nd October 2019.
- 2019-09-18: VCH informs Open Privacy that they have removed Diagnosis information from paging broadcasts, but that they have “no plans to notify patients whose information may have been sent to pagers in order that proper care instructions were communicated to health care professionals whose job it was to ensure appropriate and safe care to them.” and that “While the questions you have raised below may be relevant to an investigation, if there has been a confirmed privacy breach; as yet, the only actual unauthorized interception of the paging broadcasts that we are aware of is when your organization received and decoded the messages as part of your research/investigation”
- 2019-09-19: Sarah Jamie Lewis speaks to Francesca Fionda regarding the removal of patient diagnosis from the broadcasts.
- 2019-09-20: Sarah Jamie Lewis provides evidence to VCH and OIPC-BC that other parties have publicly reported accessing patient data in pager broadcasts prior to the Open Privacy’s disclosure of the issue to VCH in November 2018. Many of these reports dated back years (one to 2016, and another confirmed reports that dated back prior to 2010).
- 2019-09-24: An investigator at OIPC-BC confirms receipt of the evidence and states that they are “unable to comment as the matter is under investigation.”
- 2019-10-22: VCH Freedom of Information Office fails to meet their deadline.
- 2019-10-23: Sarah Jamie Lewis contacts VCH Freedom of Information Office informing them of their missed deadline, and requests an update, and a response.
- 2019-10-23: VCH Freedom of Information Office notifies Open Privacy of an extension requirement “Due to the vast amount of records to be searched and reviewed”. The extended time limit will expire on December 4, 2019.
- 2019-12-04: VCH Freedom of Information Office responds to our request with a 369 pages of (heavily redacted) internal emails & documents.
- 2019-12-13: Based on the FoI response, Francesca Fionda publishes a story on the potential for the breach to have Canada-wide impact and the response of health authorities beyond Vancouver Coastal Health.