Faxing faux pas compromises patients’ mental health records

For ten years doctors’ offices have been sending confidential documents to a spa owner’s fax machine.

David bisson
David Bisson
@

Fax spewing

A businesswoman has gone public with a story about how a careless faxing mistake has compromised dozens of patients’ mental health records over the course of the last decade.

Lisa Belanger, a spa owner who lives in Bedford, Nova Scotia, contacted CBC News to tell them that her business has received “dozens of faxes” from doctors’ offices intended for a mental health referral office located in the Bedford-Saxville area over the past 10 years.

Lisa belanger

Sign up to our free newsletter.
Security news, advice, and tips.

Most of the faxes contained personally identifiable information including patients’ names, phone numbers, and even notes regarding their mental health histories.

She still remembers the first fax she received some years ago:

“It was a patient who was sadly suicidal and needed to see somebody at the crisis center. It was my first time ever seeing something like that or even being aware that something like that could be sent by those means.”

The fax numbers for the mental health referral office and Belanger’s business are identical except for one digit.

The spa owner estimates she currently receives between eight and 14 misdirected faxes a year.

ShreddingFor each fax she receives, Belanger calls the offending doctor’s office to let them know they faxed the patient’s medical records to the wrong location. She then shreds the documents to make sure no one’s information is further compromised.

One of the patients affected by the privacy breach still feels very upset that his information was exposed, as they anonymously told CBC News in a separate article:

“This is pretty serious stuff. This can ruin people’s relationships, careers, a whole myriad of things. If that information had of got out it would have been devastating. It is very frustrating and not acceptable. It’s just not acceptable. That’s the most personal of information.”

Throughout the years, Belanger has reached out to the Capital District Health Authority, Health Minister Leo Glavine’s office, the College of Physicians and Surgeons, and the office of Nova Scotia’s privacy commissioner in the hopes that someone would do something to rectify the issue.

The spa owner explains she’s been told memos were sent out to doctors’ offices all over Nova Scotia reminding staff members to enter in the correct fax number. Still, the problem has persisted.

Some organizations stated they passed along Belanger’s complaints for “corrective action,” whereas others denied ever having a record of the businesswoman’s calls.

The Nova Scotia Health Authority said it is currently looking into methods other than fax to send confidential medical and mental health records to doctors’ offices.

Nova scotia health authority

Ultimately, Halifax privacy lawyer David Fraser feels it is up to the provincial privacy commissioner to do something, saying it’s “incumbent upon them to investigate and find out really, in fact, what is going on.”

It’s troubling that no one aside from Belanger has done anything to address this breach… unless of course you consider sending memos to be a meaningful act.

The fact that dozens of doctors’ offices are guilty of sending faxes to Belanger’s spa has me wondering whether the mental health referral office’s number is mislabeled in a directory of some sort. If that is the case, someone in the medical field should have acted upon Belanger’s complaints and changed the number years ago. In a gross act of negligence, no one did anything.

In this information age, we are all responsible for protecting not only our own data but also the information of others.

With that in mind, if you find yourself in a position similar to Belanger’s, shred the sensitive documents, contact an appropriate authority, and don’t stop contacting them until someone hears your complaint.

We can only hope someone would do the same for you.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

9 comments on “Faxing faux pas compromises patients’ mental health records”

  1. Jon Green

    Using fax, for pity's sake? Why don't they have them delivered by telegraph? Or pony express? Or (I'm looking at you, Pheidippides) bonded runner?

    Fax is such an outdated and inefficient (not to mention insecure) technology that it's amazing to me that anyone still uses it.

    1. coyote · in reply to Jon Green

      Then what do you suggest?

      Email? Email that is very rarely encrypted? If it's encrypted is it strong encryption? Is there a guarantee that the computer disks involved also have (strong) full volume encryption? Secured? No malware? No shared passwords? No reuse of passwords? No backdoor? List goes on. Positive of all that? Completely positive?

      Perhaps you prefer file sharing services and/or the cloud? Same questions as above apply.

      Secure file transferring like scp? Same questions as above apply.

      'Private' (says who ?) internet (note: not THE Internet) between the two corporations? Same questions apply as above.

      Or maybe you prefer photocopying the records and sending it by post, post that is vulnerable to theft and other abuse?

      You could also have it on a small external hard drive (or other kind of drive)! Send it by post too – encourage people to believe that is safe and also have the same risk as other postal risks (and all the other concerns I raised)!

      Maybe you prefer government officials (after all they are meant to protect everyone and especially their privacy !) 'securely' transfer it to the doctors offices? They can keep their own secrets so they can also keep the secrets of others!

      Did it ever occur to you that the more copies there are the easier it is to compromise? Did it ever occur to you that sometimes these records need to be transferred in as close to real time as possible? Did it ever occur to you that some people (and you should then consider yourself lucky that you don't realise this !) have severe enough health problems (or more rare problems) that require travelling long distances (sometimes in other cities, counties, and even wider) for care whether going to specialised hospitals, labs, outpatient medical centres? No? Then maybe you shouldn't be speaking for those who have all of those.

      None of those alternatives are acceptable to me (and even if you're trying to be sarcastic your suggestions are even more absurd and all defy my points) – and I speak as someone who has (from individual doctors) medical records which are thicker than several bricks stacked on top of each other! Your statement is utterly absurd, a disgrace and a shameful disregard for those with health problems! (And no I am not even close to overreacting)

      1. Jon Green · in reply to coyote

        Wow. What a remarkable rant. I'd have been more impressed if you'd actually written it under your own name instead of a pseudonym, though.

        Let's deal with fax. It's slow, unreliable, the results are often corrupted by line noise, and is based on a technology that was first demonstrated in 1924, and commercialized in 1948. The information sent by fax is not in any fit state to be incorporated into electronic patient records in any way that allows searching, tagging or indexing – it's just pictures, and low-grade pictures with only two or few gray levels at that.

        So let's imagine a patient's admitted to the ER at some hospital, with an urgently life-threatening condition. The consultant on call telephones the patient's regular physician, to obtain relevant records. The physician (or their admin) then has to either print out the relevant parts and feed the sheets into a fax machine, or print directly to a fax modem. Of course, that rather depends on the fax lines *on both ends* being free. Fax lines are a single point of failure here – and hospital fax lines are still (lamentably) busy. By the time the modem's ground out the images of the records (along with grainy, horrible copies of X-rays, etc.), and they've been picked up from the recipient fax system and brought to the consultant, how's the patient now?

        Oh, and by the way, another three single points of failure: the consultant giving out the number, the physician hearing the number, and the physician typing in the number. This article illustrates rather nicely that these SPoFs are very much a problem. If any of these goes wrong, those patient records – the security of which you're so concerned – get sent to the wrong place, or delayed until the patient's already dead on the table.

        So what can replace it? You've dismissed a whole lot of options out of hand, but I don't think you're aware of the options. There are PDF security packages that allow the files to be sent using regular (non-HIPAA-compliant) email, or left in a dropbox for pickup, but which are deeply protected; the password can be provided by another mechanism, say phone. (Locklizard's PDF Security for one example.) There are secure web portals and dropboxes that are HIPAA-compliant. (Box.com has a HIPAA and HITECH compliant product.) And there are HIPAA-compliant secure email solutions, such as Paubox's and Virtru's.

        Welcome to the 21st Century, "Coyote". We've got some neat toys now.

  2. Phil Miller

    Notify an "approximate" authority? Just goes to show you how people make mistakes and don't check their work.

    1. Graham CluleyGraham Cluley · in reply to Phil Miller

      Whoops. Well spotted. :) Fortunately, it won't take us a decade to fix…

  3. Dr A Midgley
  4. Mark Jacobs

    Are you seriously telling me that they're sending people's mental health notes via fax in these hacker days?!! They may as well be sky-writing them!

  5. Alex H

    In the UK when sending personal data the ICO requires you to phone ahead and check that the person the fax is intended for is standing next to the fax machine before you send it, you would think they would implement something like this in the US or just do away with fax machines altogether.

    Then again they wouldn't be the only profession that enjoys faxing. http://www.itproportal.com/2014/08/29/premier-league-transfer-deadline-day-the-technology-behind-the-deals/

  6. Rob

    There was a period a few years ago where I was getting misaddressed faxes on my home phone – also highly sensitive documents, these referring to offenders, being faxed to me from various different county courts, maybe one a month! They were intended for a private security company that dealt with the transport, again a single digit different in the telephone number. If I could find a number for them, I would phone the sender back, and also the security company. In the end it was getting the ICO involved that seemed to stop it – that and a (gradual, it seemed) changeover to a more secure means of transferring the information!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.