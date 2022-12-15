Vulnerabilities at PHSA have existed uncorrected since 2019, says info and privacy commissioner

FILE - British Columbia Privacy Commissioner Michael McEvoy speaks during a news conference in Ottawa on April 25, 2019. THE CANADIAN PRESS/Adrian Wyld

British Columbians’ medical information is at an unnecessary risk of being accessed by unauthorized intruders, a new investigation from the Information and Privacy Commissioner has found.

Commissioner Michael McEvoy says the Provincial Health Services Authority (PHSA) is failing to protect residents’ records and has known about security and privacy vulnerabilities within its system since at least 2019.

B.C.’s health records database, known as the Provincial Public Health Information System, is used to store information from peoples’ mental and physical well-being, to their sexual health and any infectious diseases they may have.

Used correctly, McEvoy says it’s vital in coordinating care for people and responding to communicable disease outbreaks, such as with COVID-19.

“However, the system is subject to abuse if wrongly accessed by any bad actor, ranging from cyber criminals to a jilted lover looking for information about an ex to someone simply curious about their neighbour,” he said in his report released Thursday (Dec. 15).

“Our findings were concerning. Because there are no proactive processes in place to monitor for suspicious activity, a major breach of the database could occur today, and no one would know.”

The investigation identified a number of vulnerabilities that it says need to be addressed immediately.

Firstly, McEvoy found the information system lacks a proactive audit program that would alert authorities if someone tried to access private data for a nefarious purpose.

“Neither a malicious attack nor an authorized employee abusing their credentials is likely to be caught in the act.”

The system also has no means of encrypting peoples’ personal information, lacks an ongoing program for managing application vulnerabilities, and has failed to implement a universal requirement for multi-factor authentication.

