VICTORIA — British Columbia’s privacy commissioner has found 16 people who were sent to medical facilities after the deadly vehicle-ramming attack at the Lapu Lapu Day festival in Vancouver last year had their privacy breached by health workers.

A statement from Michael Harvey’s office says its investigation found 71 incidents of snooping by 36 health workers in the Fraser and Vancouver Coastal health authorities as well as the Provincial Health Services Authority.

It says the breaches violated the Freedom of Information and Protection of Privacy Act, which prohibits an employee of a service provider from collecting, using or disclosing personal information, except as authorized by the legislation.

The statement says Harvey also found that individuals whose privacy was breached weren’t notified without unreasonable delay.

It says the commissioner found the health authorities had “reasonable safeguards” in place to prevent and respond to breaches, and they took steps after realizing patients’ privacy was at risk, including investigations and disciplinary action.

Still, Harvey’s report includes nine recommendations, including continuing efforts to deploy automated software with a focus on preventing access to files, and applying disciplinary measures strong enough to effectively deter and sanction snooping.

“Snooping is illegal, unethical, and an egregious and intentional invasion of our privacy, and it breaks trust with those in health care that are serving us in a time of need,” Harvey says in the statement issued Wednesday.

Harvey says it’s essential for public bodies to uphold their obligations to protect personal information in order to maintain public trust in the health system.

The Filipino cultural festival in Vancouver was the site of a vehicle-ramming attack that killed 11 people last April, while more than two dozen were injured.

This report by The Canadian Press was first published Feb. 19, 2026.

The Canadian Press