Sarah Jamie Lewis
The Open Privacy Research Society discovered that the sensitive medical information of patients being admitted to certain hospitals across the Greater Vancouver Area is being broadcast, unencrypted, by hospital paging systems, and that these broadcasts are trivially interceptable by anyone in the Greater Vancouver Area. The data being broadcast includes the patients name, age, gender marker, diagnosis, their attending doctor and room number. Other broadcasts regarding medical tests such as x-rays are often associated with a patients last name or medical number, exposing their progression through hospital departments. We have been able to confirm the authenticity of this data by cross-referencing records with public obituaries. Open Privacy immediately began responsible disclosure of this issue with Vancouver Coastal Health (VCH) in November 2018. After several attempts at contact they were informed in a brief email in December 2018 that the issue had been escalated. After several months with no follow up, and with the breach still ongoing, Open Privacy made the decision to contact journalists & begin public disclosure of the existence of this breach in an attempt to inform the public while minimizing the potential harm.