Teen Allegedly Leaked Health Information From PagersData on 'Thousands' of Australian Patients Released
A recent health data breach in Australia allegedly involving a teenager leaking data from a pager system points to the potential risks posed by legacy equipment.
Australian media outlet 9News reported on Monday and Tuesday that the medical information of thousands of patients in Western Australia - including COVID-19 patients - was leaked onto a public website allegedly set up by the teenager, a self-described "script kiddie" hacker. The site has been shut down.
More than 400 webpages - including messages between health officials and doctors - were posted to the website, 9News reports.
As of Wednesday, it was unclear whether law enforcement had yet apprehended the unidentified teen hacker, who 9News reports is from Mandurah, West Australia.
On Tuesday, Western Australia Premier Mark McGowan said the breach was associated with the use of a third-party pager service provided by Vodafone, which the state's health department has since turned off, according to 9News.
"It's very disappointing and disturbing. I learned last night that there was this pager arrangement in place," McGowan reportedly said, adding that the department told him it was using the pagers "because an SMS [text message] was not certain of getting through."
In light of what occurred, the department has stopped the use of the pagers "and there will be a double SMS program," McGowan said, according to 9News.
The teen hacker allegedly built software that intercepted an old, unencrypted pager network and then automatically posted the confidential messages to his website, 9News reports.
The Western Australia Health Department confirmed that it was alerted Monday "to a breach of confidential data associated with the use of a third-party pager service."
The department immediately contacted the vendor and asked that the paging component of its service be ceased until the issue is addressed, it notes in a statement.
"The paging service provider has indicated their services have not been compromised and it is working with the telecommunications provider," according to the statement. The department has also reviewed its own data systems, and those of Health Support Services - the shared service center for the Western Australia health system, the statement adds.
"The Department and HSS can confirm that there has not been a breach of health data sources. These systems remain secure," according to the statement.
Pagers 'Not Secure'
Meanwhile, Vodafone says it does not consider the episode a "hacking" incident "because paging networks are not secure."
In a statement provided to Information Security Media Group, Vodafone, notes: "Paging networks send messages using legacy radio technology, which is not able to be encrypted, unlike mobile phone networks, which use encryption to protect customer communications. We encourage customers not to use paging services to send sensitive information."
The company adds that as soon as it became aware of a website illegally publishing paging messages, "we took immediate action and had it shut down within hours. We have also referred the matter to the Australian Federal Police and Western Australia Police."
Vodafone also notes that it advised paging customers in 2019 that it would be looking to close the paging network at the end of 2020. "We have been working with customers, which include emergency and health services, to encourage them to transition them to our secure mobile phone network," the statement says. "The paging network operates separately to our mobile network which is secure and encrypted. There was no impact to our mobile network or mobile customers."
Among the thousands of patient case details apparently leaked were: a worker at one hospital discussing a 2-month-old with COVID-19, doctors expressing concerns about patients and their contacts who may have the virus, and a child protection officer sharing concerns about a young person in a group home, 9News reported.
"While there are some unique aspects to this pager vendor and its environment, this is just another example of how the entire ecosphere of healthcare is in the cross-hairs of hackers."
—Mark Johnson, LBMC Information Security
The alleged hacker's website, which had been operating for months, also leaked sensitive information from a number of other West Australian government entities, including ambulance operators, local councils and the fire service, 9News reported.
Some privacy and security experts in the U.S. say the paging system incident in Australia spotlights the range of security threats and risks facing the healthcare sector.
"While there are some unique aspects to this pager vendor and its environment, this is just another example of how the entire ecosphere of healthcare is in the cross-hairs of hackers," says former healthcare CISO Mark Johnson, a principal at the consultancy LBMC Information Security.
"When we think of healthcare, we traditionally think of just the payers or providers," he says. But this case shows anyone who handles patient data must have robust cybersecurity measures in place, he adds. "Gone are the days where you can say, 'Who would want to get at the data I have? No one would care about this.' Everyone needs to raise their game."
The Australia incident "highlights that you don't need to be a highly skilled attacker to do damage," Johnson adds. "The 'democratization' of the attacker is a trend we have seen for years, and this is just another example."
While the use of pagers in healthcare might seem outdated and rare, many other large institutions across the globe are still using the communication technology or are in the process of phasing it out.
In early 2019, the United Kingdom's National Health Service ordered the removal of pagers for non-emergency communications by the end of 2021.
"Staff will instead use modern alternatives, such as mobile phones and apps. These can deliver more accurate two-way communications at a reduced cost," the NHS said in a February 2019 statement.