Listen to this article
Estimated 4 minutes
The audio version of this article is generated by AI-based technology. Mispronunciations can occur. We are working with our partners to continually review and improve the results.
Three dozen health-care professionals were caught “snooping” into the medical records of people who were patients in the aftermath of the Lapu-Lapu Day tragedy in Vancouver last year, according to a new report by B.C.’s information and privacy commissioner.
Discipline included suspension and termination, according to the report from the Office of the Information and Privacy Commissioner (OIPC) released Wednesday.
The Lapu-Lapu Day festival in Vancouver ended tragically on April 26, 2025, after a car ramming killed 11 people and injured at least 31 more.
Commissioner Michael Harvey said the report shows that snooping can and will be detected and disciplined.
“It is intolerable in our health-care system,” Harvey said.
His office received multiple privacy breach notifications from Vancouver Coastal Health Authority, the Fraser Health Authority, Providence Health Care and the Provincial Health Services Authority.
There were 71 snooping incidents on the records of 16 individuals by 36 health-care workers.
“In most cases, these employees invaded individuals’ privacy to satisfy their own curiosity,” the report said.
The health systems know, according to Harvey, that in the aftermath of a tragedy comes increased curiosity.
“For that reason, the health authorities in this case did put in place special measures, special safeguards to prevent snooping and also special measures to detect it and respond to it,” he said.
The health authorities and Providence Health Care had sent notices reminding staff about the need to respect privacy in high profile incidents, suspended access to some records and added warnings on medical records of some admitted patients, among other measures, according to the report.
Snooping in health care, which the OIPC said often includes accessing medical records when the employee is not involved in the care of a patient, is “particularly egregious” due to the trust relationship between patients and health-care workers.
Harvey noted patients often show up to hospitals and health-care facilities “in their most vulnerable moments.”
“When they do that, they need to be not worrying about their personal information. They need to be worrying about whatever life-changing event has caused them to show up in that clinical setting.”
Harvey said if workers aren’t treating a patient or if they don’t need certain information for the specific purpose to benefit a patient, then they don’t have access to it.
“People in our health-care system know this. Their training is mandatory,” Harvey said.
In a joint statement, the Provincial Health Services Authority, Vancouver Coastal Health, Fraser Health and Providence Health Care said the inappropriate patient privacy breaches were “unacceptable and inexcusable.”
They said, once identified, the breaches were investigated and employees disciplined.
“We are also expediting the implementation of a more robust audit solution with additional real time privacy audit functions to strengthen existing safeguards.”
They collectively accepted all of the OIPC’s recommendations, which included updating privacy breach procedures to include information about notification requirements and disciplinary guidelines, and continuing efforts to use automated auditing software with a focus on real-time alerts and automated access prevention.
The Provincial Health Services Authority noted 26 of its staff were found to have breached patient privacy and records of the alleged perpetrator.
The employees, across all the health authorities, who accessed personal information included nurses, administrative support workers, a pharmacist and medical students, according to the report.
The discipline they received ranged from letters of expectation to termination, the report said, with the majority of employees getting suspended.
