It only took a few minutes before sensitive patient data that included patient names, ages, medical conditions and hospital room numbers began popping up on her screen. In one instance, Lewis came across patient data that detailed the name, age and hospital room number of a gunshot wound victim.
“I know there are a variety of situations from domestic violence and LGBTQ people and sex workers who may be getting treated for a variety of things and may be telling their doctors things in confidence,” said Lewis, the executive director of Open Privacy, a non-profit research organization focused on privacy for marginalized communities.
Lewis reported the breach to VCH in November 2018, but little was done by the health authority to follow up with her and ultimately address the vulnerability in the paging system. A few emails were exchanged between VCH’s client relations and risk management team and the privacy team about Lewis’ concerns. They were unable to identify the breach internally and did not follow up with Lewis to clarify what she had discovered.
Patient data continued to be broadcast on the unencrypted frequency for ten months until Lewis decided to go public with her findings in August 2019 and report the breach to the media.After the breach was made public, Lewis filed an FOI for internal emails detailing VCH's response to the breach. The request asks for documents going back to when Lewis first reported it in November 2018 to the first story about the breach that was published by Attention Control on CTVNews.ca in September 2019.
The emails suggest that an internal miscommunication allowed this breach to go on, without follow up, for almost a year; and that the health authority only seriously started looking into the breach after Attention Control started asking questions about the breach in mid-August. Since then, VCH said they have made some improvements to protect patient privacy.VCH declined an interview and provided an email statement that said, in part, their health authority “has clear privacy protocols to protect patient information and we take breaches of privacy extremely seriously.” They also said they recently made changes to their systems to limit patient information sent through paging broadcasts and are working with B.C.’s Office of the Information and Privacy Commissioner as they “move to alternate technologies.”
‘Unfortunately, this vulnerability is not limited’ to Vancouver, internal emails confirm
The Office of the Information and Privacy Commissioner for B.C. is now investigating the breach at VCH and has also asked health authorities across the province to look into the security of their paging systems.
In an email dated August 29, 2019 sent to the health authorities across B.C., VCH wrote, “We’ve been made aware of a vulnerability in our paging system where media is involved. Unfortunately, this vulnerability is not limited to VCH. The same situation may exist at other health authorities.” The email also encouraged health authorities to contact the provincial privacy commissioner if they were using similar paging technology.Providence Health Care operates hospitals and clinics in partnership with the Vancouver Coastal Health and the Provincial Health Services Authority. Provincial Health Services Authority provides specialized health care for all BC and is responsible for managing the quality, coordination, accessibility and cost of certain province-wide health care programs and services. First Nations Health Authority is responsible for planning, management, service delivery and funding of health programs, in partnership with First Nations communities in BC. Fraser Health, Island Health, Provincial Health Services Authority (PHSA) and Providence Health Care (PHC) have or had similar paging systems to VCH and are working with B.C.’s Information and Privacy Commissioner to address these issues. VCH, Fraser Health and Island Health serve approximately 3.8 million people across the province. Fraser Health, B.C.’s largest health authority, serves more than 1.8 million people and sees over 1,900 patients every 24 hours in their emergency rooms. In an email, Fraser Health wrote it is “aware of concerns with the existing pager system” and it takes “patient privacy matters seriously.” The health authority is “taking steps to mitigate potential privacy breaches and consulting with the Office of the Information and Privacy Commissioner as we move to alternative technologies.”
PHSA it “has limited usage of paper technology” and where pagers exist, said sensitive information has been “limited and/or removed” and “plans are underway to replace pager technology.” PHC said that “fewer than 1 per cent of transmitted pager messages are alphanumeric and that it “is constantly looking for better ways to protect patient information.” They also said they “have no information to suggest private patient information has been used in any malicious way.”Island Health said their primary paging system is encrypted but did identify 194 alpha numeric pagers. They say their policy is that these pager transmissions “not include personal information, including patient names”. Interior Health said their limited number of “pagers that could potentially be used to transmit patient data” have been decommissioned after an internal review. Northern Health and First Nations Health Authority said they do not use pager technology to transmit patient data. Across Canada, paging technology is still used in some health authorities for patient transfers or direct messaging between doctors and nurses. Steps are being taken in some regions to improve the security of this technology or phase it out. Health PEI doesn’t use pagers anymore. London Health Sciences Centre and St. Joseph’s Health Care London in London, Ontario are transitioning to an encrypted-web based technology.
No requirements to report health data breaches a problem: privacy commissioner“One thing this draws into clear focus is the need for something that I've been calling for, for some time,” says B.C.’s Information and Privacy Commissioner Michael McEvoy, “which is the need for public and private bodies, to have an obligation to report breaches, both to my office, and to the individuals involved, where there's a real risk of significant harm that might result from such a breach.”
The legislation around whether or not a public body has to report a breach to the provincial privacy commissioner varies across the country. In B.C., Quebec and Manitoba there are no mandatory data breach reporting laws for public bodies or health custodians, meaning there is no requirement for health authorities to report breaches to the privacy commissioner or to the people affected.
“The kind of information we're talking about here is the most sensitive information that British Columbians have,” said McEvoy. In Ontario, where there are mandatory data breach reporting laws for health custodians, a similar breach regarding an unencrypted paging system was reported in March 2019. The Office of the Information and Privacy Commissioner of Ontario said in an email that, after the breach was reported, “the hospital immediately stopped transmitting identifiable patient information through its pagers, unless it is necessary for patient safety,” and “committed to reviewing its practices on the use of pagers, highlighting the risks of using pagers in its privacy training, and is considering the use of encrypted pagers.” McEvoy’s team is hoping to work with the health authorities here in B.C. to identify any possible vulnerabilities, stop it, figure out how to fix it and assess if individuals need to be notified. For Lewis, she’s hoping this incident will spur policy changes across the country that protect patient privacy as technology continues to evolve. “I'm hoping the other privacy authorities in Canada take note and ask their own health authorities for information regarding these kinds of breaches,” said Lewis. “And I'm hoping that that will inform technical policy going forward and we won't see the same mistakes being made in the next 10 years when new technology comes in.” Edited by CTVNews.ca producer Phil Hahn; Map by Jesse Tahirali