Half of the victims taken to hospital for medical care after Vancouver’s tragic Lapu-Lapu Day attack had their privacy breached, a new report finds.
On Wednesday, the Office of the Information and Privacy Commissioner for British Columbia (OIPC) published the results of an investigation that began after receiving reports of ‘snooping’ from Vancouver Coastal Health (VCH), the Fraser Health Authority (FHA), Providence Health Care (PHC) and the Provincial Health Services Authority (PHSA).
CLICK HERE TO LISTEN TO 1130 NEWSRADIO VANCOUVER LIVE!
On April 26, 2025, a driver rammed an SUV through the crowds at a Filipino street festival, killing 11 people and injuring dozens more.
The OIPC says VCH reported the first incident of unauthorized access to patient information by employees on April 30.
Between then and June 20, the office says it received reports of 71 more snooping incidents into the medical records of 16 people — half of the total who received care related to the attack.
“These breaches were committed by 35 employees of the health authorities and PHC, and in one other case, by an assistant at a physician’s office who had access to an FHA electronic medical records system. In most cases, these employees invaded individuals’ privacy to satisfy their own curiosity,” said the OIPC.
It added, “In some cases, employees accessed patient records multiple times. For example, in one instance, an employee accessed the personal information of nine patients in a single day; in another case, an employee repeatedly accessed one patient’s file. Moreover, two employees went on to disclose patient information to colleagues.”
The report says privacy violations can lead to further stress on patients, deteriorate the reputation of the health-care system, and compromise care.
“In the digital age, with personal health information stored in information systems and accessed in seconds by way of a login, it is of paramount importance that public bodies have measures in place to secure personal information from unauthorized access.”
In a video statement, Commissioner Michael Harvey said the authorities had reasonable security measures to prevent snooping, but found that those measures can be overcome, and more needs to be done to prevent breaches and contain the risk of harm.
“As evidenced by the fact that the snooping happened, they weren’t perfect,” said Harvey.
His report says the violators faced a variety of sanctions for their actions, including “written reprimands, decommissioning access to records systems, suspensions, and termination.”
“Some employees were also required to retake privacy training and re-sign confidentiality agreements, and all are subject to additional monitoring.”
The report includes nine recommendations to both specific and all health authorities, including imposing more disciplinary measures strong enough to effectively sanction and deter snooping.
“After reviewing the report, the health authorities accepted the recommendations and had moved ahead with notifications,” said Harvey.
“I think this is important as people should be able to know what happened to their’s or their loved one’s private information and what is being done about it. “
Meanwhile, B.C.’s Filipino community is calling it a violation of people’s trust.
The chair of Filipino BC, RJ Aquino, says that those who had their privacy breached are feeling vulnerable and angry. Some of them even fear for their personal safety.
“Concerns of what information is out there and who is using that information for what,” said Aquino.
“Having read the report, citing curiosity as one of the main reasons that people did this snooping is just unfathomable.”
He argues that when people are at their most vulnerable, there should always be an expectation of trust and confidentiality.
“It’s not just that they are concerned about their personal information being leaked; they really are entrusting organizations with extremely sensitive and private information, and it really is just a violation and gross breach of that trust to have that information be unlawfully accessed.”
Aquino wants to see the B.C. government step in to make systemic changes to ensure no one of the victims of this breach falls through the cracks.
“Filipino BC is a small non-profit; we were festival organizers one day and crisis response organization the next. We are not built for this in the long run, and while we continue to step in and provide care and try to fill in those gaps, the government needs to step in,” he said.
According to Clifford Belgica, President of the Philippine Nurses Association of BC, these snooping incidents have been happening for a number of years.
“Some of the staff are being punished; they get suspensions for one month, two weeks, six months, depending on how long they were on the record,” said Belgica. “Some would just snoop for 10 seconds, some would snoop for 30 minutes.”
Belgica stresses that nurses can not afford to violate patient privacy, even if they have honest intentions.
“You are not allowed to look at patient records unless you are taking care of the patient directly. Those are basic rules.”
In a joint statement from PHSA, VCH, FHA and PHC say these breaches are “unacceptable” and “inexcusable.”
“There were inappropriate patient privacy breaches by staff members across all our organizations related to that incident, despite the preventative measures we have in place to protect the privacy and security of patient information,” they said in a written statement.
All health authorities say that they have identified the people who did the breach and have now launched a formal investigation.
They promised that they have taken immediate actions, including disciplinary measures against the staff members involved.
“We are also expediting the implementation of a more robust audit solution with additional real-time privacy audit functions to strengthen existing safeguards,” the statement continued. “Collectively, we accept all recommendations in the report.”
The health authorities have identified 38 staff members in total, three more than the OIPC report stated.
26 Provincial Health Services Authority staff, four at Vancouver Coastal Health, seven at Fraser Health and one at Providence Health Care were found to have participated in the privacy breach.
