Healthcare Pages Intercepted and Posted Online

Providence Health & Services, a not-for-profit health system operating in Alaska, California, Montana, Oregon, and Washington, has discovered its paging system has been breached by an unauthorized individual.

Pages were intercepted and posted online exposing a limited amount of patients’ protected health information. The individual responsible for the pager attack posted pager transmissions that included patients’ names, room numbers, medication data, birth dates, medical record numbers, symptoms, diagnoses, and details of medical procedures.

Providence Health & Services reports that the information sent via its pager network was limited to the minimum necessary information, in accordance with HIPAA Rules.

Pages were accessed and disclosed publicly between October 25 and October 28, 2016. The breach was discovered on October 27. The breach notification letters sent to patients explain that PHI was only accessible on the website for a “couple of minutes at most.”

The incident was not limited to Providence Health & Services. Other healthcare organizations were also targeted, as were other users of non-secured pagers such as public safety departments and businesses. At this stage, it is unclear how many healthcare organizations were affected and how many patients had their privacy breached.

In a healthcare environment, pagers are primarily used to communicate urgent patient information to physicians and other healthcare professionals. The information sent via pagers is brief and usually limited to PHI required to provide treatment to patients.

Pager technology has served healthcare organizations well for more than 60 years with the first healthcare pagers used in New York City’s Jewish Hospital in 1950. The appeal of pagers is clear. The technology is reliable and vital information can be rapidly communicated. However, pagers are not secure.

Previous studies have highlighted the privacy risks from using unsecured pages in a healthcare setting. This incident highlights just how easy PHI breaches can occur if unencrypted messages containing PHI are transmitted.

Fortunately, 100% secure communication systems such as HIPAA-compliant text messaging platforms are becoming more commonplace and pager technology is compatible with data encryption. However, organizations that still use unsecured channels for communicating health information run the risk of experiencing HIPAA breaches such as this.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.