Nurse Leslie Warner will never forget being taken to her local RCMP detachment in Fernie, B.C., in 2022 and charged in a social security fraud operating out of Alberta.
She says she was fingerprinted and had her mug shot taken.
“I was like: ‘Oh my God, this is my identity theft,'” Warner recalls telling police. “I did not do this.”
The fraud charges were dropped soon after she explained that an imposter had been using her identity since 2020, when someone hacked into her Canada Revenue Agency account and filed a bogus return in Alberta that stated tax preparation company H&R Block was her new “authorized representative.”
But Warner had never authorized H&R Block to file her taxes.
Warner said she has been trying for years to understand how her identity — and at times her life — came to be hijacked. She is also still “nervous” about her CRA account being hacked again.
The Fifth Estate has learned that Warner’s name is one of thousands included in a massive breach of employees’ personal information — including social insurance numbers — from the British Columbia government’s Interior Health authority, which runs hospitals and medical facilities in the eastern part of the province.
While it is unclear how many of those names were exploited by fraudsters, The Fifth Estate has found that stolen identities from several Interior Health employees — past and present — have been used to obtain bogus CRA refunds and fraudulent loans in the past several years.
A former Ontario privacy commissioner says “it could be a nightmare” for individuals whose names and private identification are included in the breach.
“This is horrible,” said Ann Cavoukian, executive director of the Global Privacy and Security by Design Centre. “These are the things that have to be brought to the public’s attention.”
‘Anonymous’ sends Fifth Estate list of stolen identities
A source, identifying themselves only by the name “Anonymous,” wrote to The Fifth Estate last month and shared what they said was a list of names stolen from the B.C. government agency.
The source said they obtained the list from sellers operating on the “dark web” who set up a group on the encrypted Telegram app in 2017 and then sold the data for about $1,000. The Fifth Estate has not independently verified the existence of the Telegram group or how much the data was sold for.
However, The Fifth Estate has confirmed with numerous people on the stolen list that they did in fact work for B.C.’s Interior Health authority. All of them said that the information contained about them is accurate.
The breach includes social insurance numbers, home addresses and birth dates of more than 28,000 employees who worked at the agency between 2003 and 2009.
“As an ex-criminal who was involved in similar activities in the past, I now want to help others and right my wrongs,” Anonymous wrote in an email to The Fifth Estate. “I believe this information could be extremely valuable in identifying and contacting potential and future fraud victims.”
- If you worked at B.C.’s Interior Health authority between 2003 and 2009 and believe you may be the victim of stolen identity or a hacked CRA account, please email, in confidence, [email protected] or text or call 416-526-4704. Click here to contact CBC News completely anonymously using SecureDrop.
In their email to The Fifth Estate, Anonymous said the list was first obtained from a “data leak years ago” and that the information “has been sold and distributed to thousands of people over the past five to six years.” The Fifth Estate has not confirmed how many people obtained the data.
Scammers targeted H&R Block offices across Alberta
For Warner, the knowledge her name was on the list has convinced her this is how her identity was stolen.
She said she has even more questions now about how the breach happened, when it was first detected and how many other Interior Health employees have had their CRA accounts hacked or might in the future.
“This is happening in real time,” Warner said, adding she believes there are “masterminds” running the schemes who will continue “doing this to other people.”
A previous Fifth Estate/Radio-Canada investigation revealed that tens of thousands of Canadians have had their CRA accounts hacked since 2020 and that scammers have been taking advantage of security gaps between the Canada Revenue Agency and third-party tax preparation companies.
Special CRA access codes assigned to third-party tax preparation companies have been repeatedly exploited by fraudsters to get into Canadians’ tax accounts, The Fifth Estate learned.
The Fifth Estate reported in March that two taxpayers in B.C., one from Creston and one from Kelowna, had their accounts hacked in 2023 and bogus returns filed in their names by imposters who had targeted H&R Block locations in Alberta.
It turns out that both their names are also on the list of Interior Health employees recently leaked to The Fifth Estate. Like Warner, the Kelowna victim is also a nurse.
Now, new documents and interviews with more stolen identity victims have revealed that at least six people who worked for Interior Health in B.C. had their CRA accounts hacked by imposters using various H&R Block locations across Alberta.
A seventh stolen identity victim, a nurse from Penticton, was listed by imposters as the sole director of two federally registered shell companies in Edmonton. Fraudsters then used those fake companies in her name to produce the bogus T4 slips used in their tax frauds.
“I feel dirty having been a victim of this,” said the nurse, who did not want her name used publicly to protect her privacy, when contacted by The Fifth Estate.
Those seven victims’ names — and private identification — all show up in the leaked database of Interior Health authority employees that was sent to The Fifth Estate.
Warner’s ordeal began when she checked her CRA account in 2021 and realized an imposter had received a bogus tax refund in her name, after using her social insurance number and changing her email address and her direct deposit information to a bank account with Digital Commerce Bank in Calgary.
And she had noticed she had three new authorized representatives:
- H&R BLOCK (OFFICE 50575).
- H&R BLOCK (50638).
- H&R BLOCK CANADA, INC.
“I started looking through — my address had changed, my phone number had been changed. Suddenly I had children.”
Warner also noticed that the CRA sent a letter to the attention of an H&R Block tax preparer in Edmonton in March 2021, stating that he was Warner’s “authorized contact for electronic filing.” The following month records show the CRA sent a letter in her name to H&R Block’s headquarters in Calgary.
Warner was living and working in B.C. throughout that entire period.
Internal memos reveal H&R Block aware of fraudsters
In an email to The Fifth Estate last November, H&R Block stated it did not know of “any incidents” where Canadians had their CRA accounts hacked through the unauthorized use of its “EFILE credentials” — those special access codes that allow third parties to file returns on behalf of customers.
Still, internal H&R Block messages obtained by The Fifth Estate show that the company was aware that fraudsters were using their offices to file false returns.
An undated H&R Block memo labelled “Out-of-Province Tax Filers” states that: “We have seen an increase in fraud by people claiming to move from British Columbia to Alberta.”
Another notice to employees, dated April 14, 2022, stated that H&R Block has “seen fraudulent cases in Edmonton and Calgary” of bogus T4 slips from a fake company called “Hawt shotz Deliveries Inc.”
The following year, on June 15, 2023, an “updated” memo stated that “there are currently two fraudsters” trying to use bogus T4 slips from a numbered company in Edmonton. Imposters, the memo stated, tried unsuccessfully to get instant refunds at H&R Block locations in Red Deer and Edmonton.
The Fifth Estate reported last month that imposters used a fake T4 slip from that same numbered company to get an instant refund through an H&R Block office in Alberta, after successfully hacking into the CRA account of the former Interior Health employee living in Creston, B.C.
The internal H&R Block memo also warns that scammers appeared to be using fake IDs and the “stolen identity” of two more people whose names also show up in the leaked list from B.C.’s Interior Health authority.
One H&R Block employee, who says headquarters instructed its workforce this year not to talk to reporters, told The Fifth Estate they believe the tax preparation company’s main concern was “not losing money” rather than pursuing the fraudsters.
In a statement Friday, H&R Block said its previous statement about not knowing of any Canadians being affected by unauthorized use of its EFILE credentials is accurate.
“What you are referring to is a matter of identity theft and unrelated to EFILE credentials,” H&R Block said.
“It is misleading and irresponsible to make any assumptions around the circumstances relating to any fraudulent tax filing incident, and to make assertions about a specific party’s ultimate responsibility for it,” reads the statement.
H&R Block did not specifically address how imposters were able to successfully use H&R Block offices to process the bogus returns and hack into CRA accounts.
Interior Health alerted to stolen names last March
In March 2024, B.C.’s Interior Health Authority issued a media release that some employees’ personal information had been found during an RCMP investigation and asked anyone who had worked for the agency between 2003 and 2009 to call a 1-800 number to see if their name was on the list.
Several employees whose names, addresses, dates of birth and social insurance numbers show up on the list provided to The Fifth Estate say the health agency told them they were not on the list.
Interior Health has said the list the RCMP found contained 20,000 names. The list provided to The Fifth Estate contains 28,000 names.
In its media release last year, Interior Health said it had hired “external security experts” from audit and consulting firm Deloitte Canada who “confirmed that this information is not on the dark web.”
The dark web is often used by criminal networks to buy and sell stolen information.
In their email, Anonymous told The Fifth Estate that they learned about the stolen data on the dark web and any statement to the contrary “is untrue.”
“Me personally, as well as others, have bought it on Telegram shops, and other dark web forums,” Anonymous wrote. “I’m sure [Interior Health] released that statement as a protection from liability and act like it’s not that big of a leak.”
Information on the dark web can come and go over time.
Tens of thousands of tax accounts have been hacked and hundreds of millions of dollars have disappeared as criminals game the system by stealing identities and filing bogus returns. Could the CRA’s deals with tax companies be partly to blame?
Deloitte declined to answer questions about how, or when, it might have determined something was not on the dark web, citing client confidentiality.
In a statement, Interior Health’s vice-president of digital health, Brent Kruschel, wrote that “due to the age of the data and its broad scope, IH was not able to accurately confirm where the information came from.”
“As this remains an active RCMP investigation and before the courts, Interior Health is not able to provide additional information,” he said.
For her part, Warner said she does not want to point fingers except at the criminals who stole her identity. She simply has more questions — about who knew what and when and why she wasn’t told earlier.
“Why didn’t anyone get ahold of me?”
Please contact [email protected] or text or call 416-526-4704 if you are the victim of a hacked CRA account.
