Privacy Report Finds Improper Access to Lapu-Lapu Day Victims’ Medical Files in B.C.
An investigation by British Columbia’s privacy watchdog has found that dozens of health-care employees accessed patient records without authorization following the Lapu-Lapu Day tragedy in Vancouver last year.
The Office of the Information and Privacy Commissioner (OIPC) released findings this week confirming that 36 staff members across multiple health authorities improperly viewed confidential medical information. In total, investigators identified 71 instances involving the files of 16 patients.
The individuals whose records were accessed had received medical care after the April 26, 2025 vehicle attack at the Lapu-Lapu Day festival, which resulted in 11 deaths and more than 30 injuries.
Investigation Details
The commissioner’s review concluded that the majority of the access was not connected to patient treatment or authorized duties. Instead, the report suggests that curiosity following a high-profile tragedy played a significant role.
The breaches occurred within Vancouver Coastal Health, Fraser Health, Providence Health Care, and the Provincial Health Services Authority (PHSA). Each organization reported concerns after internal monitoring systems detected irregular access to patient files.
Privacy Commissioner Michael Harvey stated that trust is fundamental in health care and emphasized that employees are trained to understand strict access limitations. He noted that patient information must only be viewed when required for care or legitimate operational purposes.
Existing Safeguards and Gaps
Following the incident, health authorities had introduced additional privacy precautions due to the sensitive nature of the case. These steps included issuing reminders to staff about confidentiality policies, flagging certain patient files, and temporarily restricting access to specific records.
Despite those measures, unauthorized viewing still occurred.
The commissioner highlighted that hospitals and clinics often serve patients at their most vulnerable moments. Protecting their personal health information, he said, is a core responsibility of the system.
Under B.C.’s privacy laws, access to medical records is permitted strictly on a need-to-know basis. Employees who are not directly involved in a patient’s care do not have authority to review their information.
Consequences and Next Steps
Disciplinary action varied depending on the circumstances of each case. Some workers received formal warnings, others were suspended, and several were terminated.
PHSA confirmed that 26 of its employees were among those disciplined. The group of staff involved included nurses, administrative workers, a pharmacist, and medical students.
In a joint response, the four health authorities acknowledged the seriousness of the breaches and described the conduct as unacceptable. They stated that investigations were completed promptly and corrective steps were taken.
The organizations also committed to strengthening oversight by expanding automated audit systems, improving real-time monitoring capabilities, and clarifying internal breach response procedures.
The commissioner’s office has recommended clearer notification standards and more consistent disciplinary frameworks across the provincial health system to reduce the risk of similar incidents in the future
Stay updated instantly — follow us on Instagram | Facebook | X
