Patient privacy improves after data breach reported to media, but now there are concerns about a wider security risk
Patients who visited Vancouver area hospitals in the last few months, like this Vancouver General Hospital emergency department, could have had their name, age and medical condition shared through an unprotected paging system. (Francesca Fionda)
VANCOUVER -- Hospital patients in Vancouver are a little safer after changes were implemented to improve data privacy practices at Vancouver Coastal Health Authority (VCH). A paging system used by VCH to share hospital patient information has removed some of the most sensitive information after Attention Control broke the story earlier this month.
Privacy researcher Sarah Jamie Lewis first discovered that an unencrypted radio frequency was broadcasting sensitive personal information in November 2018. That information included names, ages, dates of birth, medical conditions and hospital room numbers of patients in the Vancouver area. Lewis immediately reported it to the health authority, then decided to go public after almost a year of inaction from the government.
The health authority has now taken some steps to improve patient safety, including removing medical conditions from the compromised communications.
“It's definitely exciting,” says Lewis, the executive director of Open Privacy, a non-profit research organization focused on privacy for marginalized communities. “We were quite frankly surprised and enthusiastic. We suspected that this was going to be a long period to fix and we weren't expecting to see such improvement so quickly. These are old medical systems, not exactly the area that's known for fast innovation.”
Open Privacy published a detailed timeline of events and is going to keep track of the health authority’s response as they continue to address patient privacy.
Privacy Commissioner ‘concerned that there could be a wider security risk’
Lewis has since received messages and online comments from others around the province and across North America who say they have found similar unencrypted radio frequencies with health data, raising questions about patient privacy across the province and potentially across the country.
The BC Information and Privacy Commissioner confirmed over email that they are also “concerned that there could be a wider security risk” and they’re looking into how widespread this problem could be.
Vancouver Coastal Health declined an interview request from Attention Control, instead providing an email statement saying they have “no information to suggest private patient information has been breached or used in any malicious way,” and that they’re “constantly looking for better ways to protect patient information. Those measures will improve with new technology.”
For Lewis, there are still a lot of unanswered questions around patient privacy, including how many people have been impacted by this breach and if the health authority plans on letting patients know that their data might have been compromised. “Medical data is very precious and it is collected when you’re at your most vulnerable,” she says. “So it's important that people who've been impacted by this know and get a chance to respond to that.”
“Attention Control with Kevin Newman” is a new podcast from Antica Productions, and will be investigating the intersection of data, technology, and democracy during the federal election campaign. Every week during the campaign, the show will bring listeners data-driven investigations that will help separate fact from fiction, as well as timely, in-depth interviews with insiders from the tech industry and their critics.