VANCOUVER -- Up on the roof of the Vancouver Public Library, privacy researcher Sarah Jamie Lewis connects a small antenna to her laptop to listen in on what appears to be a major ongoing breach of sensitive health data of patients in the Vancouver area. For months, she says, personal information has been sent over unencrypted radio frequencies. This kind of data could leave patients vulnerable to identity theft, financial crime, potentially even violence.

Lewis first discovered the breach in November and immediately alerted the local health authority. When she didn’t receive any assurances that they had fully dealt with the matter, she shared her findings with Attention Control.

“It has the diagnosis. We can see here people with ovarian cancer and liver transplants and chronic back pain,” Lewis says as she points to different data points popping up on her laptop screen exposing the names, sex, medical condition, ages, room numbers and more of hospital patients in Vancouver. The frequency she discovered was unencrypted, making it easy to see the information. Encryption is a security measure used by most websites and apps to scramble or hide information like your credit card and passwords, making it harder for that data to be intercepted. 

“It goes the whole breadth of anything that you might go to the hospital for is encapsulated in this data,” says Lewis, the executive director of Open Privacy, a non-profit research organization focused on privacy for marginalized communities. 

To confirm the data’s authenticity, Lewis was able to cross-reference the doctor names, hospitals and patient names exposed with publicly available records, like news stories and obituaries. It’s unclear exactly where the messages are coming from but they appear to relate to moving patients, such as a patient escort service, bed transfers or ambulance.

When Lewis realized what she had come across, she immediately contacted the privacy officer at Vancouver Coastal Health (VCH).

But when Attention Control first spoke to Lewis in late August, eight months had passed since she reported the breach to the health authority, and the patient information was still being sent over the unencrypted frequency.

“It's disgusting that it's been at least eight months and it's not been fixed, it's probably been there far longer. And the thing that really makes me angry is that no one seems to care about this.” 

Lewis emailed VCH twice with her concerns, they said they were elevating it to their risk department but she didn’t get any follow-up questions about what she found until Attention Control asked the health authority.

Since then they’ve confirmed to Lewis via email that patient information is communicated by an older pager system that is slowly being replaced. They wrote that there’s no indication one’s information has been compromised or misused adding they are taking this seriously, working on ways to reduce the threat and exploring how they can encrypt their information.

When contacted by Attention Control, VCH responded with an email, saying in part: “Vancouver Coastal Health has clear privacy protocols to protect patient information and we take breaches of privacy extremely seriously. We have no information to suggest private patient information has been breached or used in any malicious way. Vancouver Coastal Health is constantly looking for better ways to protect patient information. Those measures will improve with new technology.”

For Lewis, the response has been slow and frustrating. “The public have a right to know that their data is being breached,” she says.

'The time has come' for public bodies to report data breaches

B.C.’s Information and Privacy Commissioner Michael McEvoy believes there should be mandatory reporting requirements for government bodies as they hold some of our most sensitive data. But not all public bodies have to notify individuals and the privacy commissioner if there is a data breach.

Michael McEvoy

In the federal public sector, there is a requirement for all federal government institutions to notify affected individuals if there are certain breaches of personal information.

But whether or not provincial public bodies are required to notify individuals or report a breach to a privacy office varies between each province and territory. Reporting and notification depends on whether or not there are specific regulations around health data and the risk of harm from the breach.

Mandatory breach notification exists in most states in the U.S. and in Europe, says McEvoy, but in “Canada it's very patchwork and so that's not acceptable.”

In B.C., Quebec, and Manitoba, there aren’t any privacy laws requiring public bodies to report a data breach, health or otherwise.

“Most importantly, the public expects that if something goes very wrong with their data, that's held by government or a business that they are customers of, that they're going to be told,” says McEvoy.

Lewis has now taken her concerns about Vancouver health patient data directly to McEvoy’s office, which confirms it is aware of the issue and is looking into it. But he says data breach reporting from public bodies should be made mandatory.

“This is an issue that we've looked at, but really the time has come where there should be a legal obligation, to report and should not depend on whether or not the health authority believes it's something that [they] should come to our office with.”

Attention Control with Kevin Newman” is a new podcast from Antica Productions, and will be investigating the intersection of data, technology, and democracy during the federal election campaign. Every week during the campaign, the show will bring listeners data-driven investigations that will help separate fact from fiction, as well as timely, in-depth interviews with insiders from the tech industry and their critics.