MONTREAL — A web-based portal for Quebec medical professionals is only accessible through an outdated web browser, The Logic has learned, bringing into question the security of millions of medical records in the province.

In an email dated May 5, a copy of which The Logic obtained, Quebec’s public health insurance authority told medical practitioners they must use Microsoft Internet Explorer to access Dossier santé Québec (DSQ), the province’s medical records database, which contains the health data of the vast majority of Quebecers.

The email further warns against installing Microsoft Edge, the company’s successor to Internet Explorer, “even if a Microsoft message directs you to do so,” and provides a workaround to avoid automatic downloads of Edge. Medical professionals using Microsoft Windows 11 must follow another procedure to use the DSQ, which requires technical support.

Since its launch in 1995, Internet Explorer has been plagued with what Wired magazine deemed “an endless parade of deeply problematic security issues.” This includes a so-called “zero-day vulnerability” in Internet Explorer’s source code that could allow hackers to gain access to user computers in order to steal data and install malicious software. Citing Internet Explorer’s obsolescence, Microsoft itself has warned of the “perils” of using the browser. 

The last version of the browser, Internet Explorer 11, dates back to 2013, and the browser ceased supporting Microsoft 365 apps in August 2021. While Microsoft updates Internet Explorer about once a month, according to Microsoft spokesperson Karen Wong-Duncan, the company is putting an end to its support of the browser on June 15. “We recommend that all users transition to Microsoft Edge, which has a dual engine advantage that supports both legacy and modern websites,” Wong-Duncan said via email. (Google updated its Chrome browser more than 40 times in April alone.) 

Medical professionals have long criticized DSQ, which was first dreamed up in 2006 as a way to digitize the paper trail following Quebec patients. Officially launched in 2013, DSQ suffered long delays, and its connectivity between the province’s many health facilities is often spotty, despite a nearly $3-billion price tag. The DSQ remains an abiding concern for the doctors who use it. “We get a lot of complaints from our members, largely about gaining access and system crashes,” Jean-Pierre Dion, a spokesperson with the province’s general practitioners union, told The Logic. 

Quebec’s health ministry says “measures and mechanisms” within its systems ensure “the safety, confidentiality, availability, integrity, accessibility and irrevocability of the health information in the QHR.” Yet experts say accessing Quebecers’ medical data through Internet Explorer makes the user especially vulnerable to “spoofing,” in which an attacker creates a seemingly legitimate site in order to harvest personal information.

“We’re talking about antiquated technology, and that’s something that invariably [hackers] find a weakness that they can manipulate,” said Ryan Witt, a managing director of health practice at cybersecurity firm Proofpoint. Health data, which includes full names, addresses, medicare card numbers and medical history of patients and their children, is particularly alluring to hackers. “Probably the most valuable data within that is children’s data, because you can almost become the stakeholder who establishes that data. And if you’re the person who initially establishes that data, it’s hard to recover from.”

Microsoft Edge “requires a set of adjustments in order to maintain the compatibility of the device while maintaining the highest safety standards related to the use of the DSQ,” health ministry spokesperson Marjorie Larouche told The Logic via email. Nevertheless, Larouche says the ministry will release a fix to the problem in early June—before Internet Explorer goes dark.