Over 28,000 people who had worked for IH impacted by breach, says report
Two former employees have filed an application for a class-action lawsuit against British Columbia’s Interior Health (IH) Authority, alleging the public health employer concealed a significant data breach that compromised the personal information of thousands of staff.
Filed on May 22 in the B.C. Supreme Court, the case claims the health authority failed to notify affected individuals in a timely manner, thereby denying them the opportunity to adequately protect themselves, according to a CBC report.
More than 28,000 former employees were impacted by the breach, which involved the exposure of personal information—such as Social Insurance Numbers, birth dates, and home addresses—on the dark web, where it was offered for sale, the report said.
The lawsuit alleges IH was “reckless” and engaged in “fraudulent concealment” regarding the breach, which reportedly occurred around December 2009.
“The effects of this data breach have been life-altering,” said Justin Giovannetti, the lawyer representing the two former employees, in the CBC report. “Identities have been stolen, used to commit fraud.”
The breach affects individuals who worked for IH between 2003 and 2009. However, many only became aware of the incident this year.
Rae Fergus, one of the plaintiffs, learned of the breach from a former colleague. Susan Shaw, the other complainant, discovered it on April 15, 2025, after reading about it in a news article.
Both allege they have been victims of fraud, including unauthorized car loans and credit card applications made in their names, and they describe the stress of rectifying the resulting financial damage, according to the report.
Earlier this year, a mistake by one employee caused a massive data breach at the Canada Border Services Agency (CBSA), according to a recent report.
In a March 2024 statement, IH said: “In January 2024, the Vernon North Okanagan RCMP informed IH about a document discovered during an investigation that contained personal information of individuals, including current and former employees of IH. The information seized by police included names, dates of birth, social insurance numbers, home addresses, phone numbers, and the individuals’ age in 2009. The document provided to IH has more than 20,000 names on it.”
Giovannetti advised anyone who worked for the health authority between 2003 and 2009 to verify whether they were affected by the breach and, if so, to take protective action.
“This is 28,000 individuals who may have been impacted for the last 15 years,” he said. “There’s a financial toll on people, but there’s also a mental toll.”
IH has urged potentially affected former workers to call 1-833-489-1705 to determine if their data was compromised.
“There are steps you can take to protect your personal information,” it said.
The health authority also noted that the data provided by the RCMP appears broad, is not limited to IH records, and likely dates back to 2009. “Through an external review, we have also confirmed that this information is not currently circulating on the dark web, and we will continue to monitor this,” IH stated.
The class action has not yet been certified, and the allegations remain untested in court, according too CBC.
According to Innovation, Science and Economic Development Canada, organisations that experience a security breach involving personal information are required to do the following:
“You can also report the cyber incident to the Canadian Centre for Cyber Security. By reporting a cyber incident, you help protect other businesses and Canadians from future attacks.”
The government agency added: “The best way to avoid a cyber incident is to prevent it in the first place.”
Risk management firm UpGuard noted that companies with incident response plans have reduced data breach damage costs by more than half compared to companies that had to scramble and learn as they went along.
“Companies prepared for a data breach had $2.66 million less in costs than the worldwide average,” it said.
“Companies would also benefit from a designated individual or team to lead the response, ideally a CISO (chief information security officer) or CIO (chief information officer). They can build IT security response teams to focus solely on the protection of customer data.”
Previously, the Northwest Territories Health and Social Services Authority (NTHSSA) fired one worker for improperly accessing a patient’s medical record, according to a report.
