Pagers used within the United Kingdom’s National Health Service are leaking sensitive patient information, and an amateur radio enthusiast has been broadcasting some of that medical data on a webcam livestream, a security researcher has found.
TechCrunch reports that Florida-based security researcher Daley Borda stumbled upon the strange confluence of archaic tech that flowed together to create a security nightmare.
Borda regularly scans the internet looking for concerning privacy and security activity. He recently discovered a grainy livestream showing a radio rig in North London that picked up radio waves and converted the transmissions into text that was displayed on a computer screen, according to TechCrunch. The hobbyist had set up a webcam that captured what was on the display, which showed medical emergencies as they were being reported. The webcam reportedly had no password, so anyone could find it and see the messages that showed directions meant for ambulances responding to emergency calls.
“You can see details of calls coming in—their name, address, and injury,” Borda told TechCrunch, which verified his discovery.
The tech news outlet reviewed several concerning messages that showed the location where people were reporting medical emergencies, including one that showed the address where a 49-year-old man was having chest pains and one that showed the address of a 98-year old man who had fallen.
The pager messages were reportedly coming from a regional National Health Service (NHS) trust. The NHS, like many medical institutions and hospitals around the world, still use pagers, also known as beepers. These archaic devices use low frequencies that can reach farther and penetrate dead zones. Many hospitals are filled with dead zones because the buildings have thick walls that are meant to block X-rays.
As TechCrunch points out, pagers often use the FLEX and POCSAG protocols, which are not encrypted and are easy to translate with easily found software.
TechCrunch contacted the radio enthusiast’s internet provider to inform them of the situation. The provider later told TechCrunch that it had contacted the hobbyist who said they were “unaware of the nature of the information being shown,” and would end the webcam feed.
A spokesperson for NHS told Gizmodo that the NHS consists of several different organizations, like hospital trusts and ambulances trusts, and “each organization is responsible for the technology it buys and uses (including pagers).” They pointed Gizmodo to a statement that Health and Social Care Secretary Matt Hancock issued in February instructed the NHS to stop using pagers by 2022. In his statement, he said the NHS uses 130,000 pagers.