Health-Care Workers ‘Snooped’ Records of Lapu Lapu Victims

Dozens of health-care workers snooped in the medical files of those hospitalized in last year’s Lapu Lapu Day attack in Vancouver, a new investigation by B.C.’s privacy watchdog has revealed.

The chair of the Filipino community organization that planned the festival where the attack occurred says he was surprised and disappointed to learn Wednesday that health-care workers violated provincial privacy laws and accessed private patient information following the tragedy that killed 11 people and sent dozens more to hospital.

“The anxiety is palpable from folks who don't know whether this very private information is out there, and some are even fearing for their safety,” Filipino BC chair RJ Aquino told The Tyee. “When people are at their most vulnerable, there should always be an expectation of trust, confidentiality and privacy.”

The revelations were contained in an investigation report released this week by B.C.’s Office of the Information and Privacy Commissioner. It found that 36 employees, including 35 health authority staff and one assistant working in a physician’s office, used their access to private patient health information to snoop on those hospitalized following the attack.

The staff were employed by several B.C. health authorities and one independent faith-based health-care organization. Of the snooping workers, 15 were nurses and 13 were employed as administrative support workers. The rest were distributed among eight other jobs.

In total, 71 privacy breaches were uncovered in the report. Although a handful of workers cited personal concerns or concerns for their community for accessing the records, the report found that in most cases staff accessed the information to “satisfy their own curiosity.”

“They violated the privacy of those who had just been through a terrible and life-changing experience,” B.C. information and privacy commissioner Michael Harvey wrote, adding that the investigation was launched to provide a thorough review and “better protect patient information from snooping in the future.”

In a joint statement sent to The Tyee, the Provincial Health Services Authority, Vancouver Coastal Health, Fraser Health and Providence Health Care said they “appreciate the critical importance of protecting the privacy of our patients” and work to reinforce this duty to staff.

The care providers added that “the breaches are unacceptable and inexcusable.”

“Once we identified them, we launched a formal investigation and took immediate actions, including disciplinary measures against the staff members involved,” they said, adding that they are expediting implementation of “a more robust audit solution” with additional safeguards.

“Collectively, we accept all recommendations in the report.”

However, the report revealed that two health authorities initially balked at notifying those whose privacy was breached, saying it could cause undue stress. The information commissioner disagreed.

“People living in British Columbia should be able to know if their sensitive medical information has been breached and how that breach was remedied,” Harvey wrote in the report. “This is the only way that individuals affected by a breach can take steps to protect themselves.”

Notification also encourages accountability, Harvey added.

While Aquino said there was confusion Wednesday among the Filipino community about whose information had been accessed, the commissioner’s office confirmed that everyone affected by the breach has now been notified.

16 hospitalized people had privacy breached

Tragedy struck Vancouver on the evening of April 26, 2025, when a man drove an SUV into a crowd at a festival celebrating the Filipino holiday of Lapu Lapu Day. The attack killed 11 people between the ages of five and 65 and sent dozens more to hospital.

Kai-Ji Adam Lo was arrested at the scene and now faces 42 criminal charges, including 11 counts of second-degree murder and 31 counts of attempted murder.

Of those sent to hospital following the attack, 16 people — half of those who received medical care — had their privacy breached, including at least one person who died, according to the information commissioner’s report. Those found to have snooped worked for Vancouver Coastal Health Authority, Fraser Health Authority, Provincial Heath Services Authority and Providence Health Care.

Harvey wrote that “the majority of snooping-related privacy breaches that are reported to my office every year involve the health sector.” He said the high number of breaches likely reflects the large number of people employed by health authorities, the volume of sensitive information that they house and the existence of safeguards that detect privacy breaches.

Discipline for those caught browsing patient records without cause ranged from warning letters to terminations, with the majority of punishments involving a suspension.

“Snooping is illegal, unethical, and an egregious and intentional invasion of our privacy,” Harvey wrote. “It could not be simpler: providing care for individuals also means respecting their privacy.”

Among nine recommendations made in the report is that staff be made aware that any snooping can be tracked and that there are consequences for privacy breaches.

Harvey said the widespread snooping showed safeguards protecting personal health information are imperfect. But in an interview with The Tyee, he underscored that the safeguards had effectively alerted the oversight body to the breaches.

Harvey told The Tyee that he expects there “have been learnings across the health system” following the investigation.

“The public should take away from this that they can trust their health authorities and that there are safeguards in place and there are efforts in place to make them stronger,” Harvey said. “When people show up in our health system they are often at the most vulnerable moments and the last thing that any of us need is to suffer additional harms by having their privacy violated.”

The investigation was launched on April 30 after Vancouver Coastal Health reported the first breach of patient information to the information commissioner’s office and said it was taking steps to restrict access to patient records. Additional reports from other health authorities were made on May 30 and June 20.

Given the seriousness of the reports, Harvey determined there was a need to launch an investigation across the health authorities that had reported snooping activities.

The information commissioner said the organization took a trauma-informed approach, including seeking expert advice on how to conduct a transparent investigation while also respecting those directly affected by the tragedy.

Asked whether he believes similar breaches are widespread across the health-care system, Harvey said the Lapu Lapu Day tragedy was unique as a mass casualty event and that health authorities should anticipate “curiosity-based snooping” and have protocols in place during similar events.

He said his office has not been notified of any privacy breaches in the wake of last week’s Tumbler Ridge school shooting, which killed nine people and sent two seriously injured youths to hospital.

Harvey added that all B.C. health authorities were canvassed following the Lapu Lapu Day breaches and that the Northern Health Authority, where Tumbler Ridge is located, would have been aware of the issue. His office has also reached out to the Northern Health Authority and offered support over the past week, he said.

Aquino said the snooping disclosure has renewed concerns within the Filipino community, which continues to struggle in the aftermath of last April’s attack.

Aquino’s organization, Filipino BC, has pivoted over the past year from being a small event organizer to offering community support in the face of what he described as systemic gaps. He said the privacy breaches are another example of how the province has “failed to adequately respond to the scale and depth of what happened last April.”

“There are still people who need real, tangible help and support that they’re not getting,” he said. “A lot of people are starting to feel unseen and unheard and forgotten. This is just another disappointing milestone.”

Asked Wednesday in the legislature about the privacy breaches, Health Minister Josie Osborne expressed gratitude to the privacy commissioner for undertaking the review and said the health authorities are taking concerns seriously.

The report “sends a very clear message to anybody working at the health authority who’s handling private records of people that these are confidential [and] that it is so important that people’s autonomy, that their dignity, is respected, that they have the trust and confidence in the system,” Osborne said.

“This kind of action really violates that trust. It’s important for us to rebuild it.”