Brendan Shykora reports:
B.C.’s Interior Health Authority (IH) has been served a class-action lawsuit over a data breach in 2009 that allegedly exposed thousands of employees’ sensitive information, which ended up sold on the dark web.
Filed in B.C. Supreme Court Thursday, May 22, the lawsuit claims the breach compromised the personal information of employees who worked for IH between January 2003 and December 2009, when the breach occurred.
The lawsuit claims the breach gave “cybercriminals and other malicious actors” access to private information that the health authority was expected to safeguard.
“The full extent of the IHA data breach remains unknown to the public as of May 2025. The Interior Health Authority has chosen not to disclose critical details regarding the breach — such as how it occurred, when it was discovered, and the total number of affected individuals,” court documents state.
Read more at Parksville Qualicum Beach News.
A breach in 2009 is first resulting in a class action lawsuit in 2025? Really?
Checking the history of the incident in DataBreaches’ notes, it seems that in March of 2024, IHA reportedly first notified employees of the 2009 incident after being informed in January, 2024 that RCMP had found a document with information on 20,000 employees.
IHA might argue that March was not really the first time employees were notified of the 2009 breach, however. For that, we need to go back to 2017, when approximately 500 employees were reportedly notifed after the arrests of two individuals. According to media reports at the time, IHA had not detected the breaches on its own, but had been notified by law enforcement who had found employee data in possession of the individuals.
When IHA investigated those reports from the RCMP back in 2017, they revealed the 2009 breach. In December 2017, IHA revealed the results of their investigation into the 2017 incidents:
“The review, which spanned two months, was unable to determine how the breach occurred, or whether the information was accessed by an individual or individuals or external to IH,” said IH in a statement. “It was, however, able to identify a likely time frame of December 2009 when unknown access to an IH employee database appears to have occurred.”
So they had discovered a December 2009 breach by December 2017. As CFJC reported at that time:
The database contained the personal information of all people employed with IH between January 2003 and December 2009, including social insurance numbers, dates of birth, email and mailing addresses, phone numbers and/or former last names.
As a result, IH is urging current and former employees working with the health authority during this time to take extra precautions with their personal information, including credit card and passwords, and to avoid carrying more identification than needed such as social insurance numbers or passports.
Surely that cannot constitute adequate notification of the 2009 breach under Canadian law, can it? But what about the March 2024 press release and notifications sent then?
Consider this: court documents also claim that at least two IH employees already had their identities stolen by the time the police were investigating the 2017 data thefts, and one of the individuals arrested was producing false identify cards. Despite what appeared to be evidence of misuse or possible misuse by September 2017, IHA’s vice-president of human resources, reportedly issued a press release months later informing employees there is “no indication their information has been breached or used in an unlawful way.” Then there was the 2024 press release and subsequent updates.
Rae Fergus, a former IH employee, is one of the lead plaintiffs in the case. Shykora reports that the court documents state that since 2022, her personal information and identity have been used to fraudulently obtain a car loan and a credit card, and open up a bank account without her “knowledge or consent.”
A gap of 13 years from data theft to misuse? Can she possibly prove 2009 theft was the cause, given how many other breaches have occurred since then that may have involved her identity information?
This lawsuit would seem to face a lot of obstacles, but it also seems clear that IHA neither prevented certain breaches, detected them promptly on its own, or provided those potentially affected with timely information and support. But will they be made to pay for any of that?
Correction: This post was corrected to reflect that IHA issued a press release and some notifications in March of 2024, not 2025 as incorrectly reported. Their most recent update and FAQ can be found at https://www.interiorhealth.ca/messageforIHstaff#when-is-this-information-from