,
14 tweets,
4 min read
Read on Twitter
Some facts regarding this story:
* Open Privacy found patient records (name, sex, diagnosis, doctor, room number) in our log files during an unrelated radio project.
* We confirmed the authenticity of this data by cross referencing it with public obituaries.
* Open Privacy found patient records (name, sex, diagnosis, doctor, room number) in our log files during an unrelated radio project.
* We confirmed the authenticity of this data by cross referencing it with public obituaries.
* Due to timing happenstance we were also able to learn the name and room number of a gun shot victim, that name was never released (or at least never reported) by the media as she was being treated.
This medical data breach has real life consequences.
This medical data breach has real life consequences.
I've been asked "why is this important" by journalists today and...I don't know how to answer that if it isn't obviously apparent to you when I say that patient medical data is being broadcast in real time across Vancouver.
Like twitter but for your medical treatment.
Like twitter but for your medical treatment.
We securely deleted all of our logs after helping VCH with their investigation(s), but that doesn't make the breach go away.
VCH also asked us to "return the data to the privacy office", and even if we were still in possession of the logs, I'm not even sure what to make of that question. 
Since I've been asked this question a few times. While we did observe ad-hoc pagers containing PII, the most concerning were the structured records which were obviously machine generated, heavy in quantity and contained a wealth of , nicely formatted, patient information.
As I mentioned, when we provided evidence of these records to VCH we had to heavily redact them because we didn't consider email an appropriately secure mechanism for transmitting such critical data like patient name, room number & diagnosis.
Imagine having your diagnosis broadcast to the entire city before you've been told - we observed patient names linked to diagnosis from every from pneumonia, to chlamydia, to gun shot wound, to liver transplants.
It's really hard to overstate the seriousness of this breach.
It's really hard to overstate the seriousness of this breach.
As I mentioned we were easily able to cross reference public obituaries to confirm the authenticity of this data. As morbid as that is, it underscores how trivial it was to link this data to real people and real events.
This isn't an abstract harm.
This isn't an abstract harm.
I've been asked why there are some big gaps in the timeline early this year, and that was mostly because I was working on the research around the cryptographic flaws in the Swiss evoting system. We get a lot done at @OpenPriv but we are limited!
openprivacy.ca/blog/2019/08/0…
openprivacy.ca/blog/2019/08/0…
@OpenPriv I've now had multiple separate reports that these health records have been intercepted by various parties dating back at least 3 years (some dating back much further).
The numbers patients impacted could be in the hundreds of thousands.
The numbers patients impacted could be in the hundreds of thousands.
@OpenPriv I've also had a few reports that other BC and Canadian health authorities are likely impacted by the same or similar issues. This would be unsurprising (we've suspected the same based on public reporting) - but it also adds up to a medical data breach crisis.
@OpenPriv The main reactions I've received have been shock and horror. People do not expect their medical data to be treated like this, recklessly broadcast for anyone to consume.
Something needs to change.
Something needs to change.
@OpenPriv I expect this conversation will roll into the next few days and weeks. This part of the story is far from over with investigations on going (and we still need to understand why the initial VCH investigation concluded that there was no issue)
