It bills itself as Canada's No. 1 trusted company for 3D ultrasounds, but UC Baby has shut down its video service across the country because of a lack of security, after a CBC News investigation raised questions about whether customers can trust the service to protect their privacy.
A tip from a viewer alerted CBC News to the vulnerability of the site, which allowed access to ultrasounds on its server, as well as the family name, city or town and the time and day the ultrasound was performed.
"It's just a really big shock right now for me," UC Baby owner Dr. Tina Ureten said in a phone interview from Florida. "I didn't know it was so easy [to access videos]."
UC Baby has 27 locations in Canada where expectant parents can pay for an "entertainment" ultrasound to see their unborn child. They are charged $175 for the package, which includes posting the ultrasound video on the company's website for a month.
Michael Wozney and his wife, Cinthia, went to UC Baby in St John's for an ultrasound before their baby, Maya, was born.
"The way we understood it, [the video] should have been limited to close family and friends with our permission," said Wozney. It was "a bit of shock" and disturbing to learn others could access their ultrasound, he said.
In order to view their ultrasounds, UC Baby requires parents to sign in with a session ID, email and password. However, information provided to CBC News showed that it was possible for others to access ultrasounds the company has currently posted at each of its 27 clinics across the country.
'Serious lapse of security'
We took that information to Dr. Srini Sampalli, a computer science professor at Dalhousie University in Halifax who specializes in cyber security. He did some preliminary analysis using basic security tools.
"[This] indicates to me there has been a serious lapse of security unknowingly or otherwise," Sampalli said "They have let in a security breach in their software which makes all data residing on their server publicly available."
He said hackers are becoming increasingly smart and sophisticated and almost anything on the internet these days is fairly easy game for hackers.
"Given that, it is disappointing and shocking that the company has not even taken the basic measures to ensure security of their data," he said.
Sampalli said his research shows the company is not SSL certified, a step more companies are taking to safeguard their customers' private information. SSL (secure sockets layer) is used to establish a secure encrypted connection between a user's computer and a website.
In fact, UC Baby had signed off on its own security.
Ureten said she was disappointed to learn the videos were not secure.
"I pay a lot of attention to the privacy and confidentiality of these files," she said.
Ureten said even she was required to contact the location and the client before accessing an ultrasound.
UC Baby was notified of the breach on March 10 by the office of Nova Scotia's privacy commissioner, but it continued to post ultrasounds until March 16, when owner Ureten told CBC News the company would stop the video on demand service immediately.
"[We] will move the service to another platform and will revise the whole system using SSL," she told CBC News in a subsequent email, adding that SSL was not commonly used when the company started the service in 2005, which is why the service was lacking that feature.
"It is surprising to see an organization not take immediate action," said privacy lawyer David Fraser, noting every organization that has any amount of personal information needs to have a plan about what to do in the event of a breach. "The very first thing is you contain it. You stop it from going further."
Fraser said the ultrasounds may not be covered by privacy rules around health information, but he said they are still sensitive personal information that must be protected.
He said companies are obligated under privacy laws (with some variations in B.C., Alberta and Quebec) to safeguard information in a way that is appropriate to the sensitivity of that information.
The federal privacy commissioner's office told CBC it is aware of the situation and has been in touch with the company.