Pager Breach Exposes Patient Data From Six Hospitals

Posted on July 6, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The IT worker was shocked. All he had done was buy an antenna and try to get TV channels on his laptop computer, but to his amazement, he inadvertently intercepted a flood of unencrypted pager messages chock full of private patient data.

The pager messages flooded in from six Kansas City area hospitals, including the University of Kansas Hospital, Cass County Regional, Liberty Hospital, Children’s Mercy Hospital, St. Mary’s Medical Center and Wesley Medical Center.  All told, the man had gotten access to information on hundreds of patients, in a fusillade of potential HIPAA violations.

According to an article in the Kansas City Star, patients who learned about the breach were horrified. “Who knows what else is going on, if it’s that easy for that information to get out there?” one woman told the newspaper. “There’s a big security breach there that needs to be stopped.”

When the paper spoke to the hospitals involved, some punted and didn’t respond to questions. Others shrugged off the problem or suggested that the breach was not a big deal.

For example, the University of Kansas told the reporter that the pager vulnerability was due to “a specific vulnerability in our paging system that may allow access to certain personal health information in limited circumstances.” It seems that an apology was not forthcoming.

Another hospital, Children’s Mercy, told the Star that the IT worker was to blame for the problem, contending that the pager data was only accessible to “local hackers with specific scanning and decoding equipment —- and technical knowledge of how to use it for this specific purpose.” In other words, the breach wasn’t really its fault.

As the article points out, the IT worker could be accused of violating the Electronic Communications Protection Act, which restricts the interception of electronic communications. For that reason, the paper never identifies him. But the article strongly suggests that he was surprised to see the messages and operated in good faith.

The worker, for his part, sensibly argues that the hospitals should have realized that the messages were in the clear. “It’s security by obscurity at this point —- and that’s scary,” he told the paper. “In my line of work you see a lot of ‘Let’s hope nobody finds it,’ [or] ‘It’s hard to find, so it’s pretty secure.’ That’s not enough. We can’t just trust people won’t stumble upon it. We have to assume that they do.”