A privacy researcher in Vancouver has discovered that there is an ongoing breach of sensitive health data of local patients – via a radio frequency that lacks proper encryption.
Sarah Jamie Lewis, the executive director of non-profit privacy research organization Open Privacy, first discovered the vulnerability last November by listening in to the radio frequency on her laptop. She immediately notified the local health authority of the vulnerability, but did not receive any assurances that the matter had been dealt with.
Lewis later turned to CTV News’ podcast Attention Control to get the word out regarding the potential breach.
Much of the data being sent over the unencrypted radio frequency dealt with highly sensitive patient information, the researcher noted.
“It has the diagnosis. We can see here people with ovarian cancer and liver transplants and chronic back pain,” Lewis told CTV News.
Lewis also said that the names, sex, medical condition, ages, and room numbers (among other confidential information) of patients were being mentioned on the radio frequency. Enough information could be used to stage identity theft, financial crime, and even violence against certain patients, should the information fall in the wrong hands.
“It goes the whole breadth of anything that you might go to the hospital for is encapsulated in this data,” she said.
Despite warning the privacy officer of Vancouver Coastal Health (VCH) back in November, the unencrypted radio transmissions still continued.
Lewis approached Attention Control in late August – some eight months after her initial warning to VCH seemingly went unheeded.
“It’s disgusting that it’s been at least eight months and it’s not been fixed, it’s probably been there far longer,” she said. “And the thing that really makes me angry is that no-one seems to care about this.”