PHI Breach Due to Interception of Unencrypted Hospital Pages

Outdated pager systems have now been replaced by secure messaging systems in many healthcare organizations. Any healthcare organization that is still using pagers to communicate PHI should take note of a recent security breach, in which pages from several hospitals were inadvertently accessed by an IT worker in Missouri.

The IT worker is a ‘radio hobbyist’ from Johnson County, Missouri. He used a software defined radio (SDR) to view TV channels on his computer. However, while attempting to do that he inadvertently intercepted pages sent by physicians in several local hospitals. The man was able to pick up pages from hospitals and medical centers in the following areas: Blue Springs, MO; Liberty, MO; Harrisonville, MO; Wichita, KS; and Kansas City, KS.  Even if the SDR is not in close proximity to a hospital, it is possible to intercept pages and view the messages. Some of the pages were sent by doctors at hospitals in Kentucky and Michigan.

The IT worker contacted the Kansas City Star and explained he was able to intercept pages with highly sensitive information, one of which is detailed below (with the patient’s identity redacted):

“RQSTD RTM: (patient’s name) 19 M Origin Unit: EDOF Admitting: (doctor’s name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA”

The reporters from Kansas City Star contacted some of the patients whose PHI had been intercepted to confirm the accuracy of the information. It surprised the patients and the hospitals to know that unauthorized individuals had obtained sensitive information.

The hospitals concerned were contacted to alert them to the potential HIPAA breach. Not all hospitals responded, but those that did said they had contacted their vendors and have taken steps to correct the problem.

The use of SDR to gain access to sensitive information is not new. Many websites have explained the risk of information such as pages being intercepted with an SDR. All that is required is a computer, an antenna and free software. The antenna only costs around $30 and there are several websites that explain how the SDR can be used. It should be noted that use of an SDR to intercept pages is a criminal offense – a violation of the Electronic Communications Protection Act.

In view of this recent privacy breach, HIPAA-covered entities who are still using pagers should consider switching to a secure messaging solution or should certainly contact their pager vendors to explore the option of encrypting their pages to prevent PHI from being intercepted.