'Egregious': B.C. health‑care workers caught snooping on Lapu Lapu Day victims’ records

Thirty‑six health‑care workers across three British Columbia health authorities improperly accessed the medical records of Lapu Lapu Day Festival victims 71 times, in what the province’s privacy watchdog has called an “egregious and intentional invasion” of privacy.

In Investigation Report 26‑02, released by the Office of the Information and Privacy Commissioner for British Columbia (OIPC), Commissioner Michael Harvey found that 16 individuals who were sent to medical facilities after the April 26, 2025 tragedy at the Filipino‑Canadian community event had their personal information “snooped” on by staff who were not involved in their care.

That represents half of the 32 people sent to facilities operated by Vancouver Coastal Health (VCH), Fraser Health Authority (FHA), Providence Health Care (PHC) and the Provincial Health Services Authority (PHSA).

Contraventions of privact act

The report concludes that each of the 71 incidents constituted a contravention of section 25.1 of the Freedom of Information and Protection of Privacy Act (FIPPA), which prohibits employees of public bodies and service providers from collecting, using or disclosing personal information except as authorised.

The fatal vehicle attack at Vancouver’s Lapu-Lapu Day festival in April resulted in 11 deaths and numerous injuries. The Lapu-Lapu Day tragedy, among other events, contributed to the need for additional staffing at the Vancouver Police Department (VPD), according to a previous report.

Commissioner condemns ‘egregious’ conduct

“Snooping is illegal, unethical, and an egregious and intentional invasion of our privacy,” Harvey wrote in the OIPC report. “It also breaks trust with those in health care that are serving us in a time of need.”

The Commissioner said the investigation took a trauma‑informed approach and did not revisit the details of the SUV attack that killed 11 people and injured dozens more. Instead, it focused on what occurred in the health‑care system soon after, as employees accessed medical records out of curiosity or other non‑work‑related reasons.

According to the OIPC, most of the breaches involved intentional, unauthorised access to demographic and clinical information, including names, dates of birth, addresses, health numbers, diagnoses, medications, lab results and case notes. In one instance, an employee accessed the records of nine patients in a single day; in another, a worker repeatedly opened the same patient’s file. Two employees went on to disclose patient information to colleagues.

The snooping was carried out by a range of staff, including administrative support workers, nurses, a pharmacist, a clinical fellow, medical students and other clinical and non‑clinical roles. All but one of the individuals had completed mandatory privacy training before the incidents, the report notes.

Ontario’s information and privacy commissioner previously reported an increase in employee snooping incidents in the province.

Safeguards in place, but notification failed

The OIPC found that VCH, PHSA and FHA had “reasonable security safeguards” in place to protect against unauthorised access, including role‑based access controls, privacy policies, confidentiality agreements, system notices, and logging and auditing of user activity. The health authorities also conducted targeted audits after recognising the risk of snooping in the wake of the high‑profile incident, and imposed discipline ranging from letters of expectation and suspensions to termination of employment and, in some cases, reports to professional regulatory colleges.

However, the report is sharply critical of how notification to affected individuals was handled. Overall, the OIPC found that while containment, risk assessment and prevention steps largely met the reasonable safeguards requirement in section 30 of FIPPA, the failure to provide timely notification meant “the overall breach response was not compliant with FIPPA.”

“Whatever the motivation, the law is clear – you cannot access people’s records without proper authorization or a need to know. And that applies to all employees,” Patricia Kosseim, commissioner of the Information and Privacy Commissioner of Ontario (IPC), said in a previous interview with Canadian HR Reporter.

Recommendations

The report made the following recommendations for the employers:

1. Clearly convey in privacy training that system activities are monitored and that discipline will be imposed for snooping.
2. Plainly state in confidentiality agreements that system use is monitored and consequences will be imposed for breaches of privacy and confidentiality.
3. The health authorities revisit their privacy notices. For Fraser Health this includes making greater use of Meditech privacy notices and working to implement a comprehensive confidentiality warning in its Paris system.
4. VCH and FHA update their privacy breach procedures to include information about mandatory breach notification requirements.
5. VCH develop disciplinary guidelines for privacy breaches that involve snooping.
6. VCH and PHSA must provide notification, as required by s. 36.3(2) of FIPPA, subject to the circumstances listed under s. 36.3(3).
7. Continue existing efforts to deploy automated auditing software, with a focus on real‑time alert generation and automated access prevention, where possible.
8. Review role‑based access controls to prevent access rights from being inherited or mistakenly applied.
9. Apply disciplinary measures for snooping that are strong enough to effectively sanction and deter snooping, including notifying regulatory colleges as required or appropriate.

“I call on all public bodies to review the recommendations in this report, and their own protocols to prevent snooping and reinforce that it cannot be tolerated,” Harvey said.