The Canadian activist group Open Privacy Research Society has discovered that Vancouver, BC hospitals routinely wirelessly broadcast patient telemetry and admissions data, without encryption to doctor paging systems. It is trivial to intercept these transmission.
The organisation contacted Vancouver Coastal Health in 2018 to notify them of the breach, and after nearly a year of inaction, they decided to go public. VCH has since been spurred into action, though they continue to deny that there is any serious risk of data interception.
Open Privacy's report paints a picture of a health system sorely lacking in technical expertise, with the hospital privacy officers "unaware of the radio broadcasting component of the pager system(s)." The paging system doesn't log third-party access, but despite this, the health system's spokespeople blithely asserted that no breach had taken place.
We cannot say for certain how many patients have been impacted by this breach. We suspect that this breach has likely been on going for several years. We have asked that VCH answer the following questions related to this breach:
* How many patients' information has been broadcast to date in this breach?
* When were the legacy pager systems installed?
* Can a patient determine if their individual information was broadcast in the breach? If so, how?
* As some of the pager messages appeared to contain unstructured text data, is there any mechanism for patients to inquire what non-standard information in particular of theirs was broadcast unencrypted? If so, how?
* How many VCH patients continue to have their personal information broadcast unencrypted on a daily basis?
* Have any mitigations, such as shutting down these systems or limiting what information is entered into the insecure paging system, been put in place?
* How and when does VCH plan on notifying patients whose information was broadcast?
* As you have indicated that this breach will not be remedied in the immediate future, will VCH be informing current & new/incoming patients that their personal information will be broadcast unencrypted by the legacy paging system(s)? If so, how, and will patients be given an option to opt out of having their information breached?
They have also notified the Office of the Information & Privacy Commissioner in B.C.