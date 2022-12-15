Vulnerabilities at PHSA have existed uncorrected since 2019, says info and privacy commissioner

British Columbians’ medical information is at an unnecessary risk of being accessed by unauthorized intruders, a new investigation from the Information and Privacy Commissioner has found.

Commissioner Michael McEvoy said the Provincial Health Services Authority (PHSA) is failing to protect residents’ records and has known about security and privacy vulnerabilities within its system since at least 2019.

B.C.’s health records database, known as the Provincial Public Health Information System, is used to store people’s health information from their vaccination status to possible sexually-transmitted or infectious diseases, as well as their mental health and any history of pregnancies. If a patient ever discussed their use of alcohol or tobacco, education level or income, that information would also exist in the database.

The same system is also used in the Yukon.

Used correctly, McEvoy said it’s vital in coordinating care for people and responding to communicable disease outbreaks, such as with COVID-19.

“However, the system is subject to abuse if wrongly accessed by any bad actor, ranging from cyber criminals to a jilted lover looking for information about an ex to someone simply curious about their neighbour,” he said in his report released Thursday (Dec. 15).

“Our findings were concerning. Because there are no proactive processes in place to monitor for suspicious activity, a major breach of the database could occur today, and no one would know.”

The investigation identified a number of vulnerabilities that it says need to be addressed immediately.

Firstly, McEvoy found the information system lacks a proactive audit program that would alert authorities if someone tried to access private data for a nefarious purpose. As it stands now, PHSA only has a reactive system, in which they review breaches after they occur.

“Neither a malicious attack nor an authorized employee abusing their credentials is likely to be caught in the act,” McEvoy said.

The system also has no means of encrypting peoples’ personal information, lacks an ongoing program for managing application vulnerabilities, and has failed to implement a universal requirement for multi-factor authentication.

In a statement, PHSA president and CEO David Byres said they are committed to reviewing the report’s findings.

“PHSA takes privacy very seriously and on behalf of patients, clients and families throughout British Columbia, we are continually taking steps to ensure that people’s sensitive and private information is secure and protected.”

Byres added they regularly make security upgrades, that it’s working enhance its auditing system, that it actively mitigates cybersecurity threats, and that past security assessments have indicated PHSA does sufficiently protect patient data.

More to come.

HealthcarePatient records privacy breach