16 Lapu-Lapu Day victims had medical privacy breached: report

Half of the victims taken to hospital for medical care after Vancouver’s tragic Lapu-Lapu Day attack had their privacy breached, a new report finds.

On Wednesday, the Office of the Information and Privacy Commissioner for British Columbia (OIPC) published the results of an investigation that began after receiving reports of ‘snooping’ from Vancouver Coastal Health (VCH), the Fraser Health Authority (FHA), Providence Health Care (PHC) and the Provincial Health Services Authority (PHSA).

On April 26, 2025, a driver rammed an SUV through the crowds at a Filipino street festival, killing 11 people and injuring dozens more.

The OIPC says VCH reported the first incident of unauthorized access to patient information by employees on April 30.

Between then and June 20, the office says it received reports of 71 more snooping incidents into the medical records of 16 people — half of the total who received care related to the attack.

“These breaches were committed by 35 employees of the health authorities and PHC, and in one other case, by an assistant at a physician’s office who had access to an FHA electronic medical records system. In most cases, these employees invaded individuals’ privacy to satisfy their own curiosity,” said the OIPC.

It added, “In some cases, employees accessed patient records multiple times. For example, in one instance, an employee accessed the personal information of nine patients in a single day; in another case, an employee repeatedly accessed one patient’s file. Moreover, two employees went on to disclose patient information to colleagues.”

The report says privacy violations can lead to further stress on patients, deteriorate the reputation of the health-care system, and compromise care.

“In the digital age, with personal health information stored in information systems and accessed in seconds by way of a login, it is of paramount importance that public bodies have measures in place to secure personal information from unauthorized access.”

In a video statement, Commissioner Michael Harvey said the authorities had reasonable security measures to prevent snooping, but found that those measures can be overcome, and more needs to be done to prevent breaches and contain the risk of harm.

“As evidenced by the fact that the snooping happened, they weren’t perfect,” said Harvey.

His report says the violators faced a variety of sanctions for their actions, including “written reprimands, decommissioning access to records systems, suspensions, and termination.”

“Some employees were also required to retake privacy training and re-sign confidentiality agreements, and all are subject to additional monitoring.”

The report includes nine recommendations to both specific and all health authorities, including imposing more disciplinary measures strong enough to effectively sanction and deter snooping.

“After reviewing the report, the health authorities accepted the recommendations and had moved ahead with notifications,” said Harvey.

“I think this is important as people should be able to know what happened to their’s or their loved one’s private information and what is being done about it. “

1130 NewsRadio has reached out to the health authorities and Filipino BC for comment.

—With files from David Nadalini.