Pagers Expose Months of Patient Data from Ambulance Tasmania

Last month, Ambulance Tasmania was rocked by the news that a major data breach exposed over two months of records of patients’ sensitive data.

On January 8th, the personal details of every patient who called an ambulance between November 2020 and mid-January 2021 were discovered online. The website’s administrator posted live updates every time paramedics were dispatched, until the webpage was shut down in mid-January. Sensitive health information exposed on the website included patients’ personal details, gender, age, condition, HIV status, and even the address of the incident. Tasmanian officials expressed concern, outrage, and vows to get to the bottom of the matter.

Where did the breach come from?

Pagers.

University of Tasmania privacy expert Joel Scanlan was not surprised. "I don't think it's overly surprising, as we've seen a few similar paging systems have similar breaches," he said. "It's a situation where the infrastructure we have has not caught up to the expectations we have around our data."

Pagers have long been considered the most reliable and secure method for transmitting patient information. They’ve served hospital staff well for a long time. As technology has evolved, however, it’s become frighteningly easy to access unencrypted information transmitted through pagers. Based on the findings of Canadian privacy researcher Sarah Jamie Lewis, unencrypted pages can be hacked with only a laptop and an antenna that’s available online for under $30. According to experts, this is also how the Ambulance Tasmania data breach occurred.

The issue is not limited to this health system. In July 2020, a similar situation occurred in Western Australia—this time, the handiwork of a 15-year-old hacker with no access to sophisticated hardware and little coding knowledge. That breach of confidential data was also associated with the use of a third-party pager service.

Pager security is an issue around the world, and more and more hospitals are finding themselves the victims of data breaches thanks to information exposed by unencrypted messages sent via pager. Health systems in Vancouver, British Columbia and Kansas City, Missouri are just two recent examples.

According to a pager and communications systems expert and radio operator who goes only by the name Michaela, it’s not unusual for people to obtain access to PHI this way—with interest and relatively little technology or hacking ability. “It's very common for people to be listening to the pager networks, and it's not uncommon for these people to be logging them,” she said. “From time to time people set up websites that publish this data online.” And the breaches are only discovered when they’re posted online.

“Pager networks are by design in plain text,” explained digital security and information security engineer Eliza Sorenson. Alphanumeric pagers don’t encrypt messages, which means that if they’re intercepted, there are no other protections in place to ensure that hackers can’t read the information. This is why unencrypted pagers are so susceptible to hacking. Sorenson acknowledged that this might be a shock for Tasmanians. “For a country that adopts technology rapidly, it's alarming that something as important as first responder communications are still being done this way, but also that as a country we do not hold the information of our citizens at a higher standard of protection."

Transmitting data via radio frequency is an old technology, which makes it difficult to protect sensitive information. Darren Hopkins, a partner at McGrathNicol and authority on cybersecurity risks, recommends immediately upgrading old systems. "If anyone is still using older technologies that are susceptible to this type of loss, they would need to think about replacing them very quickly," he said. "When you find an issue with the technology you're using, you research and find an alternative and implement it as soon as you can.”

Hospitals may take precautions by investing in pagers with HIPAA compliant security measures, such as encryption and password protection. However, new communication technologies might be a better route to explore, as they offer a much wider degree of functionality in addition to tightened security. HIPAA compliant communication platforms are designed to prevent hacking attempts—sophisticated or amateur.

Mobile technology has come a long way in the last ten years, and can now offer clinicians a wide variety of secure ways to communicate about sensitive information. Communication platforms like Pulsara have been specifically designed for healthcare communication, bringing secure, HIPAA compliant solutions to acute care spaces. Video calls and text messaging allow for quicker, clearer communication, saving time and frustration. Connectivity has greatly improved. Mobile technology can enable instant, timestamped, group communication. And with the rise of telehealth, all these capabilities are easily available to hospitals.

Pagers have served healthcare well for a long time, but security issues should prompt health systems and organizations to take a closer look at their communication methods. With new technologies on the rise that can better secure patient information, it’s time to put patients’ privacy first.

Could pagers be exposing patients' protected health information at your hospital or ambulance service? Learn more here.