A man in Missouri, purchased a $30 antenna to be able to watch tv stations on his laptop. Instead of receiving his local network television programming, he started picking up electronic personal health information (ePHI) of patients at nearby hospitals. The signals were from unencrypted pager messages to doctors.
The Johnson County IT worker saw patient data from the University of Kansas Hospital, Cass County Regional, Liberty Hospital, Children’s Mercy Hospital, St. Mary's Medical Center and Wesley Medical Center in Wichita. He has seen some from as far away as Michigan and Kentucky.
He recently told The Kansas City Star about the issue after stumbling across hospital pager information while playing with an antenna, which he bought to get TV channels on his laptop computer. With a simple program, the antenna picks up radio signals that can be digitized.
He started seeing things like this, with the patient's and doctor's names included:
RQSTD RTM: (patient's name) 19 M Origin Unit: EDOF Admitting: (doctor's name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA
It was the personal patient data of a 19-year-old man, broadcast across the airwaves for anyone to read.
"When I first saw it I thought, 'How does this happen? Why is it not fixed?' This is 2018," he said. "One, We're still using pagers? And two, we're sending unprotected patient data to them?"
The Star is not naming the IT worker because of legal concerns about the Electronic Communications Protection Act, which extended restrictions on tapping phone lines to the interception of other electronic communications.
Although the man did not purposely seek out the hospital data, he wanted to bring attention to the fact that hospitals are not encrypting this information and it's easy for potential criminals to find and use for identity theft. He also believes that it may violate the Health Insurance Portability and Accountability Act (HIPAA).