Full Report
A report issued by the Office of the Information and Privacy Commissioner for British Columbia states: Between April 30, 2025 and June 20, 2025 the OIPC received breach notifications from the Vancouver Coastal Health Authority (VCH), the Fraser Health Authority (FHA), Providence Health Care (PHC), and the Provincial Health Services Authority (PHSA) for privacy breaches... Source
Analysis Summary
# Incident Report: Internal Medical Record Snooping Post-Lapu Lapu Day Festival
## Executive Summary
Multiple British Columbia health authorities experienced a series of privacy breaches involving unauthorized employee access ("snooping") to patient records following a tragic event at the Lapu Lapu Day festival. Over a two-month period, 36 staff members—driven primarily by personal curiosity—conducted 71 unauthorized views of records belonging to victims and patients. The Office of the Information and Privacy Commissioner (OIPC) for BC investigated the incidents, highlighting a critical failure in internal privacy culture despite existing technical access controls.
## Incident Details
- **Discovery Date:** Notifications received between April 30, 2025, and June 20, 2025
- **Incident Date:** Beginning April 26, 2025
- **Affected Organizations:** Vancouver Coastal Health Authority (VCH), Fraser Health Authority (FHA), Providence Health Care (PHC), and Provincial Health Services Authority (PHSA)
- **Sector:** Healthcare
- **Geography:** British Columbia, Canada
## Timeline of Events
### Initial Access
- **Date/Time:** April 26, 2025 (immediately following the festival tragedy).
- **Vector:** Authorized Internal Access / Insider Threat.
- **Details:** Employees utilized their legitimate login credentials for Electronic Medical Record (EMR) systems to view files of individuals for whom they were not providing direct clinical care.
### Lateral Movement
- **Movement:** Technical lateral movement was not required; attackers (employees) utilized existing access rights within the health authorities' internal networks and EMR databases (e.g., FHA electronic medical records system).
### Data Exfiltration/Impact
- **Impact:** Intentional, unauthorized access to sensitive personal health information. 71 specific "snooping" incidents were recorded affecting 16 individual patients.
### Detection & Response
- **Discovery:** Detected via internal auditing of access logs and subsequent self-reporting by the involved health authorities to the OIPC.
- **Response Actions:** Organizations reported the breaches to the OIPC as required by law; the OIPC subsequently launched a formal investigation into the systemic nature of the snooping.
## Attack Methodology
- **Initial Access:** Valid User Credentials.
- **Persistence:** Not applicable (standard employee access).
- **Privilege Escalation:** None; abused existing access privileges.
- **Defense Evasion:** None; actions were recorded in standard audit logs.
- **Credential Access:** Not applicable.
- **Discovery:** Internal search/lookup of specific patient names identified via news reports or social media related to the festival tragedy.
- **Lateral Movement:** Not applicable.
- **Collection:** Viewing of electronic medical records.
- **Exfiltration:** No evidence of external exfiltration; the data was "consumed" via visual access by the employees.
- **Impact:** Loss of patient confidentiality and breach of privacy legislation.
## Impact Assessment
- **Financial:** Costs associated with internal investigations, OIPC reporting, and potential legal/disciplinary actions.
- **Data Breach:** Unauthorized access to healthcare records of 16 individuals.
- **Operational:** Diversion of resources to conduct 71 individual incident audits and the OIPC investigation.
- **Reputational:** High; the OIPC categorized the actions as an "affront to dignity" and a breach of public trust in the healthcare system.
## Indicators of Compromise
- **Behavioral indicators:** Accessing patient records without an assigned clinical relationship or "need to know" basis; high-volume searches for specific names following a high-profile public event.
## Response Actions
- **Containment:** Suspension or restriction of access for identified employees.
- **Eradication:** Disciplinary actions against the 35 health authority employees and one physician’s assistant.
- **Recovery:** Notifications sent to the 16 affected patients regarding the breach of their information.
## Lessons Learned
- **Human Factor:** Technical access controls alone are insufficient if employees do not respect the ethical and legal boundaries of their permissions.
- **Event-Driven Risk:** High-profile public tragedies act as a catalyst for insider snooping, requiring proactive monitoring during such periods.
- **Audit Logging:** Robust logging is essential for post-incident discovery and accountability.
## Recommendations
- **Proactive Auditing:** Implement automated "trigger" alerts for access to high-profile patient files or victims of public incidents.
- **Privacy Training:** Regular, mandatory re-certification on the "need to know" principle and the legal consequences of snooping.
- **Strict Enforcement:** Publicize that privacy violations lead to immediate disciplinary action or termination to act as a deterrent.
- **Zero-Trust Principles:** Further refine access controls to ensure employees can only access records for patients currently under their specific care.