Nurse's arrest reveals wider BC identity theft scheme linked to CRA hacks and dark web leak
A nurse from Fernie, British Columbia, said her life was turned upside down after learning her identity had been stolen and used in a cross-province social security fraud.
Leslie Warner told CBC News that in 2022 she was fingerprinted and had her mug shot taken at the local RCMP detachment after being falsely charged in a case involving Alberta-based tax fraud.
According to Warner, the charges were dropped when she explained someone had hacked her Canada Revenue Agency (CRA) account in 2020 and filed a fraudulent return using her personal details.
She said the hacker designated tax preparation firm H&R Block as her “authorized representative,” although she had never permitted them to act on her behalf.
The Fifth Estate learned that Warner's name appeared in a large breach of employee data from Interior Health — a British Columbia health authority running facilities in the southeastern part of the province.
The data breach contained personal information, including social insurance numbers, of over 28,000 people who worked there between 2003 and 2009.
While it is unclear how many names have been exploited, The Fifth Estate identified multiple instances in which fraudsters used identities of Interior Health employees to access CRA accounts and secure bogus refunds and loans.
An individual identifying only as “Anonymous” told The Fifth Estate they had obtained the Interior Health employee list from sellers on the dark web.
Anonymous said the information was first leaked in 2017 and has since been sold and distributed widely.
The source said they now wish to “help others and right [their] wrongs.”
The Fifth Estate confirmed that multiple individuals on the list had worked for Interior Health and verified that the stolen data — including home addresses and birth dates — matched their records.
Warner discovered in 2021 that someone had changed her CRA account email, mailing address, and direct deposit information to a Calgary bank account.
The imposter had also added multiple H&R Block locations as her “authorized representatives.”
She later found the CRA had sent correspondence in her name to H&R Block offices in both Edmonton and Calgary, despite her never having left BC during that period.
Internal memos obtained by The Fifth Estate showed that H&R Block was aware of fraud being committed at its offices. One memo described a rise in cases involving people claiming to move from BC to Alberta.
Other memos dated 2022 and 2023 flagged fake T4 slips submitted at Alberta locations by fraudsters using identities from Interior Health employees.
The Fifth Estate reported in March that two other BC residents — from Kelowna and Creston — had CRA accounts hacked through similar methods. Both individuals also appeared on the leaked Interior Health list.
In total, The Fifth Estate identified at least seven victims tied to the data leak. One of them, a nurse from Penticton, was listed by imposters as the sole director of two shell companies in Edmonton. The companies were later used to generate fraudulent T4s.
“I feel dirty having been a victim of this,” the nurse told The Fifth Estate.
A previous Fifth Estate/Radio-Canada investigation revealed that tens of thousands of Canadians have had CRA accounts hacked since 2020. Fraudsters exploited access codes assigned to third-party tax preparers to gain entry to individual CRA profiles.
H&R Block, in a statement provided to The Fifth Estate in November, said it was unaware of any such incidents involving its EFILE credentials.
However, the internal memos revealed that its staff had been warned about fraud attempts using fake IDs and the identities of people from the Interior Health list.
When contacted recently, H&R Block maintained that identity theft incidents were unrelated to its EFILE access and said it was “misleading and irresponsible” to make assumptions about the causes or responsibilities tied to individual cases.
An employee told The Fifth Estate they had been instructed not to speak to media and believed the company prioritized avoiding financial losses over pursuing fraudsters.
In March 2024, Interior Health issued a public notice following an RCMP investigation that had uncovered some employee names. The agency encouraged anyone employed there between 2003 and 2009 to check if their information had been compromised.
However, multiple individuals told The Fifth Estate that Interior Health informed them they were not on the list, despite their names appearing on the document provided to the program.
The health authority’s list, based on RCMP findings, reportedly contained 20,000 names — 8,000 fewer than the list acquired by The Fifth Estate.
Interior Health claimed that external experts from Deloitte Canada found no evidence that the data was available on the dark web. But Anonymous disputed that, stating the information had been widely sold through Telegram and dark web forums for years.
Deloitte declined to comment, citing client confidentiality.
Interior Health vice-president of digital health, Brent Kruschel, said in a statement that due to the “age of the data and its broad scope,” the agency could not confirm its origin.
“As this remains an active RCMP investigation and before the courts, Interior Health is not able to provide additional information,” Kruschel stated.
Warner said she does not seek to blame anyone apart from the criminals, but wants answers.
“Why didn’t anyone get ahold of me?” she asked.
