Information and Privacy (IP) Commissioner  Michael Harvey has found that 16 individuals who were sent to medical facilities after the tragedy at the 2025 Lapu Lapu Day Festival had their privacy breached. The Commissioner found 71 incidents of snooping by 36 healthcare workers, across Fraser Health Authority (FHA), Provincial Health Services Authority (PHSA), and the Vancouver Coastal Health (VCH).

 The investigation report, which does not go into details of what happened on the day of the festival, focuses on how the breaches violated section 25.1 of the Freedom of Information and Protection of Privacy Act (FIPPA). The Act prohibits an employee, officer, or director of a public body or an employee or associate of a service provider from collecting, using, or disclosing personal information, except as authorized by FIPPA. The Commissioner also found that notification to affected individuals did not occur without unreasonable delay.

 “First and foremost, I want to express my sympathy and condolences to all those who experienced the tragedy. As we move deeper into digitization of healthcare services, where more information is collected and accessible through the use of multiple information systems, it is essential for public bodies, and those that work for them, to uphold their obligations to protect personal information. Only by doing so can the public’s trust in their healthcare system be maintained,” said Commissioner Harvey.

 The Commissioner found that the three health authorities had reasonable safeguards in place to try to prevent breaches from occurring and to respond to them when they did. The report describes how the health authorities quickly realized that the privacy of these patients was at risk and the steps they took to try to mitigate those risks, as well as the investigations and disciplinary action that followed.  

 The report includes nine recommendations to strengthen safeguards and prevent snooping, including, Continuing efforts to deploy automated software, with a focus on real-time alert generation and automated access prevention, where possible; Reviewing role-based access controls, including efforts to prevent access rights from being inherited or mistakenly applied; and Applying disciplinary measures for snooping that are strong enough to effectively sanction and deter snooping, including notifying regulatory colleges as required or appropriate.

 “Snooping is illegal, unethical, and an egregious and intentional invasion of our privacy, and it breaks trust with those in healthcare that are serving us in a time of need. People in British Columbia have a right to know if their sensitive medical information has been breached. I call on all public bodies to review the recommendations in this report, and their own protocols to prevent snooping and reinforce that it cannot be tolerated,” said Commissioner Harvey.

 “I appreciate the open and collaborative approach the health authorities took during this investigation, and that they have accepted the recommendations.”