EXCLUSIVE: Patient data exposed at 2 Toronto hospitals, privacy commissioner investigating
Posted March 25, 2019 1:31 pm.
Last Updated March 25, 2019 3:03 pm.
The University Health Network (UHN) has changed the way it uses pagers to communicate after an investigation by 680 NEWS revealed more than 200 patients’ private information was easily accessible to the public.
A computer programmer came across the information of 223 Toronto General Hospital and Toronto Western Hospital patients in late January. He was able to access the information, contained in hospital pager messages, from his home more than 10 km away.
“I started to see the names of patients, their date of birth, blood test results, even requests to transport patients who had died to the hospital morgue,” said the computer programmer speaking on the condition of anonymity.
Pagers can send signals strong enough to travel across the GTA instantly but the messages from most have no protection. UHN confirmed it has used this unencrypted system for decades. The Information and Privacy Commissioner of Ontario is now investigating.
Almost anyone can get their hands on the pager data with $20 worth of hardware and two free software programs, the programmer said.
“You don’t need to be an expert. You just need to be able to follow instructions that tell you what to click on and just apply some very basic sense,” he said.
After 680 NEWS asked the UHN about the exposed data last week, the hospital network changed its system to stop transmitting private patient information through pagers.
“We turned off any communication of personal health information over the paging systems,” said David Jaffray, executive vice president of technology and innovation at UHN. “We reached out to our staff and reminded them of the importance of not putting patient health information on systems without encryption, like the pagers. We also reached out the Ontario privacy commissioner.”
According to Ontario’s health ministry, hospitals are required to “take steps to ensure that personal health information in their custody or control is protected against unauthorized use or disclosure,” said ministry spokesman David Jensen in an email.
UHN is in the process of contacting affected patients.