Lapu Lapu Day Victims' Privacy Breached by Healthcare Workers in BC
Lapu Lapu Day Victims' Privacy Breached by Healthcare Workers

Healthcare Workers Illegally Accessed Medical Records of Lapu Lapu Day Victims

In a disturbing violation of patient privacy, sixteen victims of the Lapu Lapu Day tragedy had their medical records illegally accessed by healthcare workers a total of 71 times, according to a report from British Columbia's privacy commissioner. The incidents occurred following the events of April 26, 2025, highlighting significant gaps in the protection of vulnerable individuals during times of crisis.

Systemic Privacy Failures Exposed

The Office of the Information and Privacy Commissioner released a detailed investigation on Wednesday, revealing that 36 workers across various roles in BC's healthcare system failed to respect patient privacy in the aftermath of the tragedy. Michael Harvey, BC's information and privacy commissioner, emphasized that the report focuses not on the day itself but on the subsequent privacy breaches at health authorities serving those in need of care.

"When people are at their most vulnerable, there should always be an expectation of privacy," said Filipino BC board chair R.J. Aquino, whose organization has been advocating for victims over the past ten months. "It's just another example of gaps in the system and how the victims and families aren't receiving the help that they need, much less being protected."

Pattern of Unauthorized Access

Between April 30 and June 20 of last year, the OIPC received breach notifications from multiple health authorities including Vancouver Coastal Health, Fraser Health, Provincial Health Services Authority, and Providence Health Care. The report describes these incidents as intentional, unauthorized access to patient personal information—commonly referred to as "snooping" by employees.

The breaches involved:

  • 35 employees from various health authorities
  • One assistant working at a physician's office with access to the FHA records system
  • 71 separate snooping incidents targeting 16 individuals

In particularly egregious cases, one employee accessed the personal information of nine patients in a single day, while another repeatedly viewed one patient's file. Two other employees who snooped on patient files later shared the information with colleagues.

Motivations Behind the Privacy Violations

The report reveals that in most cases, employees invaded individuals' privacy to satisfy their own curiosity—a reason given in 36 of the 71 snooping instances. Other personal reasons cited included:

  1. Emotional distress
  2. Concerns for their community
  3. In one case, an employee claimed they were "grieving the loss of a friend"—though investigators determined the friend had no connection to the Lapu Lapu Day tragedy

Recommendations and Response

The commissioner's report includes nine specific recommendations for how health authorities can enhance security and privacy around patient records. All affected health authorities have agreed to implement these recommendations, which aim to prevent similar breaches in the future.

This case underscores the critical need for stronger safeguards in healthcare systems, particularly when serving individuals who have experienced traumatic events. The violations occurred during a period when victims were most vulnerable, raising serious questions about ethical standards and accountability within healthcare institutions.