Stolen identities of 28,000 B.C. health-care workers used in decade-long crime sprees
Kelowna nurse Ashley Stone sits down at her kitchen table, opens a bulky blue folder containing a paper trail of 10 years of multiple frauds committed in her name by imposters and gets right to the point.
“It’s just been a nightmare.”
She says she’s had to repeatedly put out “fires” and convince debt collectors she was innocent.
“It’s never over,” she said. “I could be 80 years old and still be dealing with this.”
Stone says her employer, Interior Health, which runs hospitals and medical facilities in B.C.’s southeastern region, needs to be held accountable for a decade of denials of a massive data breach in 2009.
“I thought they would take it seriously,” she told fifth estate co-host Mark Kelley, recalling when, in 2014, she discovered multiple nurses in the maternity ward at Kelowna General Hospital had been victims of identity theft — at the same time.
Today, a former Ontario privacy commissioner is calling for an external investigation into why, for a decade, the B.C. government agency denied the data breach, which a fifth estate investigation shows affected 28,000 health-care workers.
- Watch the full documentary, “The Denial Machine,” from the fifth estate on YouTube or CBC-TV on Friday at 9 p.m.
“It’s heartbreaking, truly, that this is taking place and the disregard on the part of the government and Interior Health, that’s what I find appalling,” said Ann Cavoukian.
Registered nurse Ashley Stone says when fraudsters stole her identity, she discovered she wasn’t alone as colleagues started speaking up.
According to an eight-month fifth estate investigation, numerous groups of nurses and medical workers in cities and towns across the B.C. Interior began reporting cases of stolen identities more than a decade ago — yet senior management continued to deny responsibility.
Interior Health executives declined interviews, stating “this matter” was “before the courts.”
In a media release, the provincial government agency said its “top priority is to ensure that personal information is always protected.”
The CBC investigation exposes weaknesses in how data breaches are investigated that, critics say, allow government agencies and corporations to avoid liability when employee data has been breached and where crime networks go unpunished as victims are wrongly blamed for crimes they never committed.
Denials opened door to crime networks: privacy expert
Last March, an anonymous source sent an email to the fifth estate confirming what those nurses had believed for more than a decade — that there had indeed been a massive data breach affecting 28,000 past and present Interior Health employees.
An ex-criminal identifying themselves as Anonymous provided a list of names they said they obtained through the dark web, an online forum exploited by crime groups to buy and sell stolen information.
While the fifth estate does not know the identity of Anonymous, journalists have verified the accuracy of the information with dozens of Interior Health employees whose names appear in the document.
Anonymous said they understood the data was first stolen in 2009 and placed on dark web forums in 2017, which is where they said they, and thousands of others, purchased the information.
Cavoukian said the health authority’s failure to acknowledge a decade ago that there was a massive breach opened the door for fraud artists to continue their crime sprees year after year.
“You’re free and clear to continue what you’re doing,” is the message the authority signalled to the imposters, she said. “I can’t believe (Interior Health) just denied it.”
Nurses ‘absolutely panicking’
Stone recalls a decade ago, nurses on her ward were “absolutely panicking” as they began the odyssey of dealing with credit agencies and accusations they had committed the frauds. She began keeping a spreadsheet of cases reported by word of mouth — a list that grew into the dozens.
The fifth estate has learned that since then, imposters have repeatedly taken over CRA accounts of Interior Health employees and obtained bogus credit cards and vehicle loans in their names.
“I am horrified at what has happened to so many nurses,” stated another victim of stolen identity, Tracey Maxfield, adding it is “completely untrue” that Interior Health was unaware of what was going on.
Emails show an increasingly frustrated Stone sent a stern warning to her bosses in December 2014.
“I have had no reassurance that anything is being done or being investigated within (Interior Health) to figure out where this is coming from.”
‘Nobody did anything’
“There is no evidence to suggest IH is at fault,” responded Mark Braidwood, Interior Health’s director of information privacy and security in 2015.
“Had we had a large breach,” he wrote, Interior Health would have been hearing of thousands of employees being impacted. “This is not the case.”
In 2014, while Stone was pleading with the health authority to take action in Kelowna, an Interior Health employee in Trail, B.C., reported their identity theft to the local RCMP detachment.
Before long, Stuart Ward, then an RCMP constable, says he had accumulated nearly 100 cases of imposters using names and social insurance numbers of Interior Health employees. He says he reported his findings to Interior Health and B.C.’s privacy commissioner.
“It bothers me that nobody did anything initially when all of these people came forward (and) said: ‘This is this problem I am having,’” he said. “I think of this constantly because they’re going to have this for the rest of their life.”
Alberta crime networks exploited stolen data
The fifth estate investigation reveals that by 2017, criminal networks had begun to find new ways of exploiting the stolen Interior Health data.
Anonymous said they bought the data on a private messaging app linked to the dark web and that a single name cost $15, or the whole list $1,000. They said there are “tutorials on the dark web” for how to use the stolen names but that they were by invitation only.
It wasn’t long before crime groups operating out of Alberta got their hands on the list and began hacking into CRA accounts of Interior Health employees.
The fifth estate had heard from at least 17 former or current Interior Health employees whose accounts were hacked after imposters walked into H&R Block locations across Alberta.
One of them, Chandra Hauer, said she got an automated notice from the Canada Revenue Agency in October 2022 stating that she was now separated, had moved to Edmonton and had a new authorized tax preparer, H&R Block.
None of it was true.
She would eventually learn an imposter had stolen her identity, gained access to her CRA account and pocketed a bogus refund worth nearly $6,000 – an ordeal that has upended her life ever since.
“The CRA didn’t believe that someone had fraudulently done this (even though) I kept telling them.”
Hauer also had no idea she was on the list of stolen Interior Health identities until she was contacted by the fifth estate.
Leslie Warner, a nurse in Fernie, B.C., discovered her CRA account had been hacked through an H&R Block office in Edmonton in 2021. She was later wrongly arrested and fingerprinted for crimes her imposter allegedly committed.
The fifth estate investigation reveals those Alberta-based crime networks expanded to include imposters operating out of towns and cities across the province, setting up fake companies, opening bogus credit cards and vehicle loans all in the names of Interior Health employees.
Edmonton-area imposter identified
The fifth estate’s investigation has revealed the identities of several alleged imposters who used the stolen Interior Health names to commit their crime sprees.
Court documents obtained by journalists show that Amber McLellan used the names of Interior Health employees to create fake identity documents in Alberta.
The fifth estate spoke to McLellan on the phone last May to talk about her charges of identity theft. “Yeah, I went to the pen (penitentiary) for it,” she said.
When asked how she obtained the Interior Health names she used in her identity theft, she hung up. “I am definitely not having this conversation, I am not sure what you are talking about.”
The fifth estate also learned that Christina Cherpak, an Edmonton-area resident, used a credit card directly connected to a bogus CRA refund made through an H&R Block location in Spruce Grove, Alta., after an imposter took over the account of an Interior Health employee.
When fifth estate co-host Mark Kelley spoke to her after an unrelated court appearance outside an Edmonton courthouse last May, she also declined to say how she got the names or who taught her how to use them to commit tax fraud.
Fifth estate co-host Mark Kelley found alleged imposter Christina Cherpak outside an Edmonton courthouse to ask her where she obtained names used to defraud the CRA.
- If you worked at B.C.’s Interior Health authority between 2003 and 2009 and believe you may be the victim of stolen identity or a hacked CRA account, please email, in confidence, harvey.cashore@godfear.in or text or call 416-526-4704. Click here to contact CBC News completely anonymously using SecureDrop.
What did Interior Health know?
Interior Health officials continue to deny any responsibility for the data breach and have not apologised to victims whose identities were stolen.
In 2017, separate RCMP fraud investigations in B.C.’s Lower Mainland discovered two lists of stolen Interior Health employee names, 200 in Surrey and another 300 in Port Coquitlam.
However, in a December 2017 Facebook post to its employees, executives said an external consultant determined “there was no evidence of further breaches” and concluded this was “reassuring news.”
“That’s what I find appalling,” said Cavoukian. “I don’t even know how (Interior Health) could make a statement like that, so self-assured.”
Former Ontario privacy commissioner Ann Cavoukian says employee reports of stolen identities should have prompted an investigation by B.C.’s Interior Health Authority.
The chair of the Interior Health Authority, Robert Halpenny, declined a recent request for an interview, citing ongoing civil and criminal cases.
In an emailed statement to the fifth estate, Halpenny, who was also the health authority’s president and CEO from 2010 to 2015, said Interior Health “had no knowledge of this issue until 2017,” after his tenure.
But the fifth estate has obtained testimonials from employees who say they reported their identity theft as early as 2011, including an email that was sent directly to Halpenny in 2015.
“I am extremely alarmed,” one nurse wrote to Halpenny on Jan. 9, 2015, in an email with the subject line “Identity Theft of (Interior Health) staff members.”
“MANY more staff members out there that have had their identity stolen,” she stated, adding that the RCMP “are concerned as well.”
“I truly believe that an (Interior Health) wide email/memo to ALL staff needs to be communicated.”
In a recent email exchange with the fifth estate, Halpenny declined to respond to the apparent contradiction.
Halpenny, whose name and personal identification also show up in the breach provided to the fifth estate, did not respond to questions about whether members of the executive team named in the breach had also been victims of identity theft.
RCMP reports list of 20,000 names
In 2024, more than six years after Interior Health said it was “reassuring” that there was “no evidence of further breaches” beyond 500 employee names, the RCMP in Vernon said they discovered a list with 20,000 names including social numbers. Interior Health confirmed in a March 2024 media release that the list included approximately 7,000 current employees.
Interior Health described the discovery as an “employee information incident” and stated employees can “reduce your risk by educating yourself and staying informed.” The agency also offered affected employees two years of credit monitoring.
The 2024 release made no mention of the stolen identities reported by employees as far back as 2011 or the 2017 breaches reported by the RCMP. It stated, however, that outside consultants concluded that “this information is not on the dark web.”
B.C. Health Minister Josie Osborne declined to respond to repeated requests for interviews over a three-month period. Eventually her office said she would not comment due to ongoing investigations, but added in a statement that “since 2009, (Interior Health) has made significant security upgrades to their systems.”
In May 2025, a class-action lawsuit filing, yet to be certified, alleged that Interior Health concealed the breach from those affected. In a recent response in court, Interior Health said it “had in place, and continues to have in place, reasonable security arrangements.”
Since 2014, Interior Health has offered different explanations in response to reports of a breach, at first telling employees their personal information could have been obtained elsewhere — for example from benefits providers or identity thieves going through their trash.
Source of data breach unknown: Interior Health
Victims have criticized the Health Authority for not properly investigating reports of a data breach a decade ago, and that they should not have relied on claims there was “no evidence.”
Interior Health continues to deny any knowledge that it has been the victim of a massive data breach.
In its response to the class-action lawsuit filing, the health authority said the source of the data breach is unknown and it “could not determine whether a compromise of Interior Health systems (caused) the privacy breach.”
For Stone, the fact her name showed up on the list provided to the fifth estate was “vindication” after years of denials by her employer.
“I honestly just want to put all of this behind me and forget it ever happened,” she told Kelley.
She said she stopped working as a nurse earlier this year, but won’t give up holding Interior Health to account.
“I just also want to continue to be an advocate for my colleagues who are still working full time and need that work full time and feel too afraid to speak up because I’m not afraid to speak out. Anymore.”
