A Devastating Data Breach Hits B.C. British Columbia Healthcare Workers.
On April 15, 2025, a chilling report revealed that over 28,000 current and former employees of British Columbia’s Interior Health authority had their personal information stolen in a massive data breach.
This agency, responsible for managing hospitals and medical facilities across eastern B.C., including Kelowna General Hospital, serves nearly 900,000 residents.
The breach exposed sensitive details like social insurance numbers (SINs), home addresses, and birth dates of employees who worked at the agency between 2003 and 2009.
This incident has led to a wave of identity theft, with imposters hacking into Canada Revenue Agency (CRA) accounts and filing fraudulent tax returns, often through H&R Block offices in Alberta.
Leslie Warner, a nurse from Fernie, B.C., became one of the victims when she was wrongly charged with social security fraud in 2022.
“I was like, ‘Oh my God, this is my identity theft,’” Warner told , recalling the moment she was fingerprinted and photographed at her local RCMP detachment.
The charges were dropped after she proved an imposter had hijacked her CRA account in 2020, using her SIN to file a bogus tax return in Alberta, falsely listing H&R Block as her authorized representative—despite Warner never having used their services.
This breach is part of a broader issue of CRA account vulnerabilities, with fraudsters exploiting stolen identities to siphon millions in bogus refunds.
The incident underscores the urgent need for stronger cybersecurity measures to protect Canadians’ personal data, especially as scammers continue to target third-party tax preparation companies like H&R Block.
Table of Contents
How the Breach Unfolded: A Dark Web Leak
The breach came to light when an anonymous source, identifying themselves as “Anonymous,” in March 2025.
They provided a list of over 28,000 stolen identities, claiming the data was sold on the dark web for around $1,000 through a Telegram group established in 2017.
Anonymous, a self-described ex-criminal, stated their intent to “right my wrongs” by helping identify potential fraud victims.
While the existence of the Telegram group and the exact sale price remain unverified, The Fifth Estate confirmed the accuracy of the data by contacting several individuals on the list, all of whom verified their employment with Interior Health during the specified period.
The stolen data included critical personal details, making it a goldmine for fraudsters.
“This is horrible,” said Ann Cavoukian, former Ontario privacy commissioner and executive director of the Global Privacy and Security by Design Centre.
She warned that such breaches could lead to a “nightmare” for affected individuals, emphasizing the need for public awareness and action.
Interior Health acknowledged the breach in March 2024, after an RCMP investigation uncovered a list of 20,000 names.
However, the list shared with The Fifth Estate contained 28,000 names, raising questions about the full scope of the breach.
The agency hired Deloitte Canada to investigate, and they claimed the data was not on the dark web—a statement Anonymous disputed, asserting that the information had been widely circulated on Telegram shops and other dark web forums.
This discrepancy suggests Interior Health may have downplayed the severity of the leak, possibly to limit liability.
The Fallout: CRA Accounts Hacked and Bogus Refunds Claimed
The stolen data has fueled a surge in identity theft, with fraudsters targeting CRA accounts to file fraudulent tax returns.
Warner’s ordeal began in 2021 when she discovered her CRA account had been compromised.
An imposter had changed her email address, phone number, and direct deposit information to a Digital Commerce Bank account in Calgary, claiming a bogus refund in her name.
To her shock, the CRA had listed three H&R Block entities as her authorized representatives, despite her never engaging their services.
Warner’s case is not isolated.
The Fifth Estate identified at least six other Interior Health employees whose CRA accounts were hacked by imposters using H&R Block locations across Alberta, including in Edmonton, Calgary, and Red Deer.
A seventh victim, a nurse from Penticton, was listed as the sole director of two shell companies in Edmonton, which were used to produce fake T4 slips for tax fraud schemes.
“I feel dirty having been a victim of this,” the nurse told The Fifth Estate, requesting anonymity to protect her privacy.
A previous investigation by The Fifth Estate and Radio-Canada revealed that tens of thousands of Canadians have had their CRA accounts hacked since 2020, with scammers exploiting security gaps between the CRA and third-party tax preparers.
Special access codes, known as EFILE credentials, assigned to companies like H&R Block, have been repeatedly abused by fraudsters to gain unauthorized access to tax accounts.
In 2023, two B.C. residents from Creston and Kelowna had their accounts hacked, with imposters filing bogus returns through H&R Block offices in Alberta.
Both victims’ names were later found on the Interior Health breach list.
H&R Block’s Role: Awareness but Little Action
Internal H&R Block memos obtained by The Fifth Estate show the company was aware of fraudulent activities involving its offices.
An undated memo titled “Out-of-Province Tax Filers” noted an increase in fraud by individuals claiming to have moved from B.C. to Alberta.
Another memo from April 14, 2022, highlighted fraudulent cases in Edmonton and Calgary involving bogus T4 slips from a fake company, “Hawt Shotz Deliveries Inc.”
By June 15, 2023, an updated memo warned of two fraudsters using fake T4 slips from a numbered company in Edmonton to attempt instant refunds at H&R Block locations in Red Deer and Edmonton.
Despite this awareness, H&R Block has downplayed its role.
In a November 2024 email to The Fifth Estate, the company claimed it had no knowledge of incidents involving unauthorized use of its EFILE credentials.
However, in a statement on April 11, 2025, H&R Block maintained that the issue was related to identity theft, not their credentials, calling it “misleading and irresponsible” to suggest otherwise.
The company did not explain how imposters successfully used its offices to process fraudulent returns, leaving many questions unanswered.
An H&R Block employee, speaking anonymously due to company instructions not to engage with reporters, suggested that the company’s primary concern was avoiding financial losses rather than pursuing the fraudsters.
This lack of accountability has frustrated victims like Warner, who continue to grapple with the aftermath of identity theft.
Interior Health’s Response: Transparency in Question
Interior Health’s response to the breach has been criticized for its lack of transparency.
In its March 2024 media release, the agency encouraged employees who worked there between 2003 and 2009 to call a 1-800 number to check if their names were on the compromised list.
However, several employees whose details appeared on the list provided to The Fifth Estate reported being told by Interior Health that they were not affected—a discrepancy that raises concerns about the accuracy of the agency’s reporting.
Brent Kruschel, Interior Health’s vice-president of digital health, stated that the age and scope of the data made it difficult to determine its origin.
He noted that the issue remains under active RCMP investigation and is before the courts, limiting further comment.
However, the agency’s claim that the data was not on the dark web, based on Deloitte’s findings, contradicts Anonymous’s assertions, highlighting potential gaps in the investigation.
The Broader Implications: A Growing Threat to Canadians
This breach is part of a larger pattern of CRA account vulnerabilities.
A Fifth Estate and Radio-Canada investigation reported that since 2020, tens of thousands of Canadians have had their CRA accounts hacked, with fraudsters pocketing millions in bogus refunds.
In 2024 alone, the CRA paid out over $6 million in fraudulent refunds after hackers exploited stolen H&R Block credentials, a figure that underscores the scale of the problem.
The CRA has faced criticism for its handling of such breaches.
Sources have accused the agency of underreporting the extent of privacy breaches to Parliament, with over 31,000 “material” breaches affecting 62,000 taxpayers between March 2020 and December 2023.
The agency’s “pay and chase” policy—prioritizing quick refund payouts and auditing discrepancies later—has been blamed for enabling fraudsters to thrive.
Critics, including former CRA investigator Shawna Roy, have called the agency’s security systems a “free for all” for fraudsters exploiting third-party access codes.
The Interior Health breach also highlights the risks faced by healthcare workers, whose personal data is increasingly targeted by cybercriminals.
Ann Cavoukian emphasized the need for greater public awareness, noting that such incidents can have long-lasting consequences for victims, from financial losses to emotional distress.
What You Can Do to Protect Yourself
If you worked for Interior Health between 2003 and 2009, you may be at risk.
Here are steps to safeguard your identity and CRA account:
Check Your CRA Account: Log into your CRA My Account to verify your personal details, including email, phone number, and direct deposit information.
Report any unauthorized changes immediately.
Enable Multi-Factor Authentication (MFA): The CRA now requires MFA, which adds an extra layer of security by sending a one-time code to your phone or email.
Monitor Your Credit: Use identity protection services to monitor your credit for unusual activity.
The CRA offers free credit protection to confirmed victims of identity theft.
Report Suspicious Activity: If you suspect your SIN has been misused, contact Service Canada and the Canadian Anti-Fraud Centre (CAFC).
You can also reach out to 416-526-4704 for confidential support.
Be Wary of Phishing Scams: Avoid sharing personal information online and use strong, unique passwords for all accounts.
A Call for Accountability
The Interior Health data breach and the subsequent CRA account hacks underscore the urgent need for stronger cybersecurity measures in Canada.
Victims like Leslie Warner are left with more questions than answers: Who knew about the breach, when did they know, and why weren’t affected individuals informed sooner?
Warner’s frustration echoes a broader sentiment among Canadians who feel let down by institutions tasked with protecting their data.
As the RCMP investigation continues, pressure is mounting for greater transparency and accountability from both Interior Health and the CRA.
The incident also raises questions about the role of third-party tax preparers like H&R Block, whose systems have been exploited by fraudsters with little apparent consequence.
For now, Canadians must remain vigilant, taking proactive steps to protect their personal information in an increasingly digital world.
The fight against identity theft and tax fraud is far from over, and this breach serves as a stark reminder of the stakes involved.
Stay updated with CTC News.
