Report finds sensitive details on personal matters like mental health, pregnancies, STDs vulnerable to misuse

Millions of highly sensitive personal health records about people accessing health care in British Columbia have been left “disturbingly” vulnerable to leaks after the provincewide health authority failed to address security concerns in recent years, a new report has found.

The Office of the Information and Privacy Commissioner for B.C. published a report Thursday saying the Provincial Health Services Authority (PHSA) has known about the “troubling” level of exposure since it audited its own system in 2019, but hasn’t done enough to address the issue.

“There is an enormous volume of sensitive personal information that, if breached, could cause a significant list of harms including embarrassment, loss of dignity, family breakdowns, and even physical harm to individuals if it was accessed improperly,” read the report from the privacy watchdog.

“One would expect the highest degree of privacy and security would be in place to protect our personal information from such intrusions … But as we learned during our investigation, this is not so.”

Database holds roughly 6 million records

The PHSA works with regional health authorities to provide care across B.C. and oversees specialized hospitals and centres, including B.C. Children’s Hospital, B.C. Cancer and the B.C. Centre for Disease Control.

It runs a database called Panorama, which maintains patient information for six million people who have accessed care from health authorities in B.C. It also includes information on patients who have died or left the province, as well as some living in Yukon.

The personal information includes all manner of interactions with the health-care system, from vaccination status to mental health evaluations to a record of sexually transmitted infections, including HIV. It includes any information about pregnancies, including their outcome, as well as drug and alcohol use.

The database also holds addresses and other personal information for migrant workers in the province.

Security gaps mean the system can be abused by “bad actors,” from cyber criminals to people looking for information about an ex.

“It should go without saying that the nature of this personal information is amongst the most sensitive and voluminous data held about us by any public body,” the report said.

“Every British Columbian should be troubled by these findings, because it means personal information in the system is vulnerable to misuse and attack.”

PHSA upgraded system

In a statement, PHSA said it upgraded Panorama in July and is working to improve its audits.

​”PHSA takes privacy very seriously and on behalf of patients, clients and families throughout British Columbia, we are continually taking steps to ensure that people’s sensitive and private information is secure and protected,” wrote PHSA president and CEO David Byres.

The report found many areas where the system is vulnerable. One particular concern was that the system doesn’t have tech in place to detect a potential security breach while it’s happening — only afterward.

“Neither a malicious attack nor an authorized employee abusing their credentials is likely to be caught in the act,” the report said.

Roughly 4,000 people have access to Panorama, including health-care workers and ministry officials doing public health surveillance to track spread of diseases like COVID-19.

There is no multi-factor authentication required to access the system, the report says. There is also no infrastructure in place to automatically detect whether someone has accessed the system for inappropriate reasons, nor is there a login alert like many users receive when someone logs into their email or social media accounts. Personal information within the database is not adequately encrypted, either.

The privacy commissioner’s report, released Thursday, followed an audit last year examining PHSA’s cybersecurity risk.

The final report by B.C.’s auditor general found thousands of medical devices used to diagnose and treat people lack effective cybersecurity protections, leaving the authority vulnerable to a cyberattack that “could harm patients and significantly disrupt hospital operations.”