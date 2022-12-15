British Columbia's privacy watchdog says sensitive personal health records, from mental health to sexually transmitted disease histories, are “disturbingly” vulnerable to leaks.

Information and privacy commissioner Michael McEvoy says in a report released by his office that security gaps in the public health computer system put it at risk of abuse by bad actors, from cyber criminals to jilted lovers looking for information about an ex.

The report says collecting and storing personal information is vital to the delivery of health care and managing threats like communicable disease outbreaks, but the system's “entry gate” is weak and the industry standard of multi-factor authentication for access is not universally required.

It says there's also no proactive audit program that would alert authorities to those who try to use the system for nefarious purposes and, instead, threats are only addressed after a breach or security issue occurs.

McEvoy says it's “troubling” that the Provincial Health Services Authority, which is responsible for managing the system, has known about the risks since at least 2019 and made little progress to address them.

PHSA president and CEO David Byres says in a statement the health authority takes privacy seriously and will continue taking steps to ensure sensitive information is secure and protected.

However, he says PHSA already upgrades its security systems regularly and assessments have consistently indicated that patient data is sufficiently protected.

PHSA also has a user access auditing system in place and is working to enhance those processes, he says.

“We thank the Office of the Information and Privacy Commissioner for this report. We commit to carefully reviewing the findings and continuing to ensure our databases are safe and secure for everyone we serve,” Byres says.

The report makes seven recommendations to address the system's privacy and security risks, including encrypting personal information.

This report by The Canadian Press was first published Dec. 15, 2022.