California was one of the first states to act fast when the coronavirus pandemic entered the United States. The state issued a stay-at-home order that saved around 40 million residents. There wasn't any public information on just how badly the pandemic was affecting the hospitals.
Despite covering the real impact of the pandemic, the public soon found out that medical staff in hospitals struggled with a lack of PPEs, ventilator shortage, and an overwhelming number of patients, as reported by CNET.
The issues were discussed by hospital staff from San Diego to Los Angeles on a pager network. However, a security researcher named Troy Brown, said at his presentation at Defcon's Internet-of-Things village that the messages were leaked.
Brown saw it all, including the personal information of patients, like their names and their COVID-19 status, as well as how often patients were transferred from the coronavirus wing to the morgue.
The personal and sensitive information was being sent without encryption over hospital pagers, according to Brown. It allowed him to view the private conversation s from March to August.
Brown said that the unencrypted pager messages include numerous information on COVID-19 patients. He was shocked to know that it was being broadcast in plain text for a long distance. He also pointed out that hospitals should do a better job of securing their wireless communications.
Hospitals having messaging protocols that can be easily hacked is not new. Researchers have already warned the hospitals about the issue for years.
In October 2019, news reports focused on one researcher in London who found that pagers used by UK's National Health Service had been leaking medical data on emergency calls.
Pagers can be encrypted easily, but 80% of hospitals are still using it, according to Spok. Brown was able to use a $20 software-defined radio to listen in on one radio tower located near his home, which broadcasted messages from 70 miles away.
Once Brown started eavesdropping, he said he saw a lot of information about COVID-19 from hospitals, including the types of requests that patients made. The details showed a glimpse of how people were viewing the coronavirus pandemic and how the perceptions have changed as the conditions got worse.
Brown saw sensitive information including the patient's name, age, gender, diagnosis, COVID-19 status, what treatment they were getting, and the PPE supply stats of the hospital, their ventilators, and inventory of beds. He also saw when the patients died of COVID-19.
At the beginning of the pandemic, the messages included notes about the shortness of breath, fever, and other symptoms related to the disease. By April, the messages included questions about COVID-19 added by default even if the patient did not have COVID-19.
Brown said that his intention was not to call out a specific hospital. His goal is to highlight the issues of hospitals using unencrypted systems and violating patient privacy and how easy it is to hack it.
Privacy in health care is important during a pandemic because patients need to trust that hospitals will be able to keep their personal information secure when they go in for tests or provide their data for contact tracing. According to CNBC, lawmakers have called for privacy protections for coronavirus treatment because of these reasons.