Hospital Pager Messages Intercepted Resulting in PHI Breach

Outdated pager systems are already replaced by secure messaging systems in lots of healthcare companies. Any healthcare provider that may be still utilizing the pager system should be aware of the security breach that recently happened involving pages from some hospitals and physicians that a ‘radio hobbyist’ living in Missouri had intercepted.

The software defined radio (SDR) used in intercepting pages is not new. Lots of websites mention the SDR, its functions and applications, not to mention its feature of intercepting private communication. Including the risk that cyber criminals can make use of this technique to acquire PHI has been discussed. To employ SDR doesn’t cost a lot. The hardware can be purchased at a price of $30. The computer and certain free software are also easily available.

The radio hobbyist and IT worker is from Johnson County, Missouri. He purchased an antenna to use with his laptop to pick up free TV channels. However he didn’t just get TV channels, but pages from doctors from various hospitals as well. He informed the Kansas City Star that he intercepted pages with very sensitive data via his SDR.

Even though the SDR isn’t near a hospital, it is easy to intercept pages and see the communications. The man was able to obtain pages coming from hospitals and medical centers in Harrisonville, MO; Blue Springs, MO; Liberty, MO; Kansas City, KS and other health facilities in Michigan and Kentucky.

The Kansas City Star reporters called a few of the hospitals where the patients’ sensitive information was intercepted to verify if the information is accurate. It shocked the patients and the doctors to find out that some person got the sensitive data.

Not all contacted hospitals replied to the query. However, many say that they have instructed their vendors to resolve the issue so that pages won’t be exposed again. It is unlawful to intercept pages as per the Electronic Communications Protection Act. Hacking or PHIshing efforts aimed at accessing PHI from healthcare networks are likewise unlawful. But the hackers still get away with it.

Considering this latest privacy breach, covered entities that are still utilizing pages should really opt for a secure messaging option; meanwhile, pages vendors may like to try encrypting pages to prevent PHI exposure should hackers intercept PHI.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA