For a decade, B.C. health agency denied a massive data breach — while nurses’ identities were stolen and lives upended

At her kitchen table in Kelowna, nurse Ashley Stone flips open a blue folder — ten years’ worth of credit statements, police files, and bank letters.

“It’s just been a nightmare,” she says. “I could be 80 years old and still be dealing with this.”

Stone says she’s spent the past decade proving her innocence to debt collectors after fraudsters used her identity to rack up $25,000 in debt. The stolen information, she later learned, likely came from a massive 2009 Interior Health data breach that the agency denied for more than a decade.

A breach hidden in plain sight

The fifth estate uncovered evidence that 28,000 employees had their names, social insurance numbers and other data stolen — information that later appeared for sale on the dark web.

In 2014, when Stone and other nurses at Kelowna General Hospital discovered dozens of identity theft cases among staff, they begged Interior Health to investigate.

Instead, the agency dismissed the reports.

“There is no evidence to suggest IH is at fault,” wrote Mark Braidwood, the authority’s director of information privacy and security, in a 2015 email. “Had we had a large breach, this is not the case.”

That denial, says former Ontario privacy commissioner Ann Cavoukian, was disastrous.

“The disregard on the part of Interior Health is appalling,” she told CBC’s fifth estate. “Their failure to acknowledge the breach opened the door for criminals to keep exploiting those names year after year.”

The dark web connection

Last year, an anonymous source — calling themselves “Anonymous” — sent journalists a file listing thousands of Interior Health employees. They said they had purchased the list for $1,000 on a dark web forum, where individual names sold for $15 apiece.

Anonymous said the data first leaked in 2009 and resurfaced online around 2017. CBC verified dozens of names in the file against real Interior Health workers.

By then, organized crime groups — some based in Alberta — were already using the stolen information to hack CRA accounts, open fraudulent credit cards, and even secure fake vehicle loans.

One nurse, Chandra Hauer, got an alert in 2022 saying she’d moved to Edmonton and filed taxes through H&R Block. It wasn’t true. She later learned an imposter had used her stolen identity to pocket a $6,000 refund.

Another nurse, Leslie Warner of Fernie, B.C., had her CRA account hacked in 2021 and was wrongly arrested for crimes committed by her imposter.

‘Nobody did anything’

Former RCMP officer Stuart Ward said he was investigating nearly 100 cases of Interior Health employee identity theft by 2014 — and reported it to both Interior Health and B.C.’s privacy commissioner.

“It bothers me that nobody did anything when these people came forward,” Ward said. “They’re going to have this for the rest of their lives.”

Despite mounting evidence, Interior Health continued to issue reassurances. A 2017 internal Facebook post called the situation “reassuring,” claiming an external consultant had found “no evidence of further breaches.”

Cavoukian says that was dangerously misleading. “To say that publicly, when victims were still coming forward — it’s astonishing,” she said.

The aftermath

CBC’s investigation also identified two Alberta women who used the stolen names to commit fraud. One, Amber McLellan, admitted over the phone she “went to the pen for it” before hanging up. Another, Christina Cherpak, was linked to a bogus CRA refund tied to an Interior Health employee’s hacked account.

Meanwhile, Interior Health executives have declined interviews, saying the matter is before the courts.

For Ashley Stone, that’s not enough.

“They left us to fend for ourselves,” she said. “And now they act like it never happened.”