Former MLA Thomas Dang pleads guilty to hacking Alberta's COVID-19 vaccine records portal

Alberta MLA Thomas Dang says he accessed a stranger's COVID-19 vaccination records last year but immediately informed a member of the NDP caucus staff that the site's security was compromised.  (Travis McEwan/CBC - image credit)
Alberta MLA Thomas Dang says he accessed a stranger's COVID-19 vaccination records last year but immediately informed a member of the NDP caucus staff that the site's security was compromised. (Travis McEwan/CBC - image credit)

Edmonton-South MLA Thomas Dang has pleaded guilty to one charge under the Health Information Act for using encryption tools to infiltrate Alberta's COVID-19 vaccine records website last year.

Court documents show the former NDP MLA hacked the website after he received a tip that the health information on the portal could be easily accessed.

Dang has a background in computer science and cyber security, and used what he called "basic encryption tools" to run computer scripts over a four-day period.

From Sept. 19-23, 2021 Dang generated more than 1.75 million queries. The agreed statement of facts says Dang initially ran tests with his own information, and then used former Premier Jason Kenney's date of birth and vaccination dates to test if he could access Kenney's health number.

After five attempts, his internet protocol (IP) address was blocked. Dang said he bypassed the block using a widely available program — or script — and regained access to the website.

He said he wrote an automated program to test the system. Using it, he found the record of a person who shared Kenney's birthday and had received a vaccine in the same month as the premier.

Previously, Dang said that after he alerted NDP caucus staff and the information was relayed to Alberta Health, the province released a new version of the website within a week. The new version fixed the flaw he had identified.

Crown prosecutor Craig Krieger argued although he believes Dang did not access the information with malicious intent and may have conducted the search to improve the website, he did it "in the worst way possible," Krieger said in court Friday.

Last November, Alberta Health revealed it received reports of at least 12 users who downloaded the wrong information from the province's COVID-19 vaccination record website. The record those users downloaded contained the name, date of birth and vaccine information. The government said no other information was leaked.

The province eventually amended the website by adding a CAPTCHA, which forces users to check a box confirming they are not a robot.

A privacy commissioner investigation is also underway to determine why the portal was created with flaws leading to possible hacking and access to personal information.

The Crown is seeking a $10,000 fine, while Dang's defence is asking for under $4,000 based on legal principle.

Dang's sentencing is set to take place on Nov. 29.