B.C.'s Interior Health Authority (IH) has been served a class-action lawsuit over a data breach in 2009 that allegedly exposed thousands of employees' sensitive information, which ended up sold on the dark web.
Filed in B.C. Supreme Court Thursday, May 22, the lawsuit claims the breach compromised the personal information of employees who worked for IH between January 2003 and December 2009, when the breach occurred.
The lawsuit claims the breach gave "cybercriminals and other malicious actors" access to private information that the health authority was expected to safeguard.
"The full extent of the IHA data breach remains unknown to the public as of May 2025. The Interior Health Authority has chosen not to disclose critical details regarding the breach — such as how it occurred, when it was discovered, and the total number of affected individuals," court documents state.
Rae Fergus, a former IH employee, is one of the lead plaintiffs in the case. The court documents state that since 2022, her personal information and identity have been used to fraudulently obtain a car loan and a credit card, and open up a bank account without her "knowledge or consent."
Susan Shaw, another lead plaintiff and former employee, became aware of the data breach by reading a news article just last month. She claims she did not receive any notice of the breach from the health authority. After contacting Interior Health, she says she was informed her personal information had been compromised and she was offered two years of free credit monitoring.
On April 15, news organizations covered the breach following public questions in the Legislature by Bruce Banman, a B.C. Conservative MLA for Abbotsford South, who said the stolen identities were used for fraudulent activities, including inappropriate Canada Revenue Agency refunds and loans.
"Over 28,000 social insurance numbers have been stolen from B.C.'s Interior Health employees," Banman told the Legislature.
In March 2024h after being informed of a document that had been discovered in an RCMP investigation in January 2024.
The plaintiffs brought the legal action on behalf of those who were employed by the health authority from January 2003 to December 2009 and provided their personal information, which they say was a requirement of their employment.
According to the lawsuit, since 2017 police in Port Coquitlam, Surrey and Vernon have discovered documents containing personal information from the data breach. It says the RCMP arrested a person in Port Coquitlam in June 2017 who had the personal information of 300 current and former employees, adding the person was in the process of creating false identities with the information.
"At that point, at least two IH employees already had their identities stolen," the lawsuit alleges.
In September 2017, Surrey RCMP arrested a second person who had the personal information of 184 current and former employees. According to the lawsuit, a few months later Mal Griffen, IH vice-president of human resources, issued a press release informing employees there is "no indication their information has been breached or used in an unlawful way."
The lawsuit claims that around this time in 2017, IH notified a small number of affected people that their personal information had been accessed and offered them one year of free credit monitoring.
"The Interior Health Authority chose not to directly notify any of the other individuals that it employed," it alleges.
The lawsuit goes on to add that in January 2024, a Vernon North Okanagan RCMP investigation discovered a document that contained the personal information of over 20,000 IH employees past and current. Two months later, IH published an online notice which the lawsuit calls the "first public acknowledgement of both the breach's widespread scope and the extent of compromised personal information."
The lawsuit alleges that IH denied that stolen information was circulating on the dark web. It calls IH's conduct throughout the timeline of the breach "high-handed, outrageous and reckless."
