Australian Teenager Exposes COVID-19 Patient Data via POCSAG Pager Network

news pager

A 15 year old Australian teenager has been accused of leaking sensitive COVID-19 patient data such as the phone numbers and addresses of people in quarantine, and conversations between health officials and doctors about COVID-19 patients. The leak occurred via a public web page that he had set up to share decoded POCSAG pager data that he received from his home.

Pagers are still typically used in many parts of the world by hospitals. It is a tried, tested and very reliable system for messaging, however most systems in the world send data out in unencrypted plain text for all to see. Anyone with a cheap scanner radio or $20 SDR and freely available software can decode every single message sent via paging from almost anywhere in a city as the signals are often extremely strong. Pagers are intended to be reserved for urgent infallible messaging, as paging is more reliable compared to mobile SMS since SMS messages do not always get through, or can be delayed by several minutes. Alternative secure communication channels such as SMS should be used for private information, however this protocol is not always followed due to the additional hassle.

The teen appears to have used either a Baofeng or RTL-SDR to receive the POCSAG pager signal available in his hometown in Western Australia. The pager signal was decoded with multimon-ng, and displayed via the PagerMon software. PagerMon creates a web page that displays pager messages in an easily readable format, and the page can be made accessible to the internet if desired. It seems that the teen is a scanner enthusiast, and did not intend to purposely leak patient data, however others found his PagerMon page and brought it to the attention of the media. His site has now been shut down, and officials have decided to shut down the pager system in favour of a double SMS system.

Some of the leaked messages via 9 News Perth
Some of the leaked pager messages via 9 News Perth

This is a story that repeats often all around the world. In the past we’ve seen whistleblowers report on patient data breaches in VancouverKansas, and via an art installation in New York that continuously printed out pager messages.