VANCOUVER -- Hospital patients in Vancouver are a little safer after changes were implemented to improve data privacy practices at Vancouver Coastal Health Authority (VCH). A paging system used by VCH to share hospital patient information has removed some of the most sensitive information after Attention Control broke the story earlier this month.
Privacy researcher Sarah Jamie Lewis first discovered that an unencrypted radio frequency was broadcasting sensitive personal information in November 2018. That information included names, ages, dates of birth, medical conditions and hospital room numbers of patients in the Vancouver area. Lewis immediately reported it to the health authority, then decided to go public after almost a year of inaction from the government.
The health authority has now taken some steps to improve patient safety, including removing medical conditions from the compromised communications.
鈥淚t's definitely exciting,鈥 says Lewis, the executive director of Open Privacy, a non-profit research organization focused on privacy for marginalized communities. 鈥淲e were quite frankly surprised and enthusiastic. We suspected that this was going to be a long period to fix and we weren't expecting to see such improvement so quickly. These are old medical systems, not exactly the area that's known for fast innovation.鈥
Open Privacy published and is going to keep track of the health authority鈥檚 response as they continue to address patient privacy.
Privacy Commissioner 鈥榗oncerned that there could be a wider security risk鈥
Lewis has since received messages and online comments from others around the province and across North America who say they have found similar unencrypted radio frequencies with health data, raising questions about patient privacy across the province and potentially across the country.
The BC Information and Privacy Commissioner confirmed over email that they are also 鈥渃oncerned that there could be a wider security risk鈥 and they鈥檙e looking into how widespread this problem could be.
Vancouver Coastal Health declined an interview request from Attention Control, instead providing an email statement saying they have 鈥渘o information to suggest private patient information has been breached or used in any malicious way,鈥 and that they鈥檙e 鈥渃onstantly looking for better ways to protect patient information. Those measures will improve with new technology.鈥
For Lewis, there are still a lot of unanswered questions around patient privacy, including how many people have been impacted by this breach and if the health authority plans on letting patients know that their data might have been compromised. 鈥淢edical data is very precious and it is collected when you鈥檙e at your most vulnerable,鈥 she says. 鈥淪o it's important that people who've been impacted by this know and get a chance to respond to that.鈥
鈥溾 is a new podcast from Antica Productions, and will be investigating the intersection of data, technology, and democracy during the federal election campaign. Every week during the campaign, the show will bring listeners data-driven investigations that will help separate fact from fiction, as well as timely, in-depth interviews with insiders from the tech industry and their critics.