Leaving an abusive environment is often framed as the final, triumphant step in a survivor’s journey to safety. For many victims of family violence and sexual abuse, however, the trauma does not end when they walk out the door. We live in a digital era where our most intimate details - mental health struggles, pharmaceutical histories, new home addresses - are meticulously catalogued in centralized electronic health records. What happens when the system designed to heal you becomes a weapon for your abuser?
A Pattern Hiding in Plain Sight
A disturbing pattern is emerging within our health information networks. Abusers, or their associates and enablers who hold positions of trust such as pharmacists, nurses, or hospital administrators, are leveraging professional access to stalk and monitor victims. This unauthorized access is not just a breach of privacy; it is a continuation of violence. And the danger extends far beyond the primary victim. When a trusted professional illicitly views a health record, they can often uncover emergency contacts, family histories, and the locations of children and other family members, allowing the harm to ripple outward through the survivor’s entire support network. Information about a victim’s mental health can be harvested and maliciously weaponized in family court and other legal proceedings.
This is not a hypothetical fear. Canadian privacy regulators have prosecuted health workers for precisely this behaviour. In one Alberta case, a laboratory worker was convicted after unlawfully accessing the health information of 34 people - not strangers, but neighbours, acquaintances, and family members of a man with whom she was in a personal relationship. In another, a nurse was convicted after two patients requested the audit logs for their own provincial health records and discovered that their files had been opened 138 times over three years at a facility where they had never received care. Ontario’s privacy commissioner is candid about the motives behind what regulators politely call “snooping”: interpersonal conflict, curiosity, and personal gain. For a survivor of family violence, “interpersonal conflict” is a clinical phrase for something far more dangerous.
What the Numbers Show
The scale of the underlying violence is well documented. According to Statistics Canada, 44 per cent of women who have ever been in an intimate partner relationship report experiencing some form of psychological, physical, or sexual violence from a partner in their lifetime, as do 36 per cent of men. Among solved homicides in 2019, 47 per cent of women victims were killed by an intimate partner, compared with six per cent of men. And separation does not switch the danger off. Federal research reviews note that women are 2.2 times more likely than men to experience spousal violence or stalking from a former partner, often after a separation the victim initiated because of the violence, and Statistics Canada data cited by the Department of Justice show that a woman’s risk of being killed by a former spouse was nearly six times her risk of being killed by a spouse she lived with.
The surveillance side of the ledger is harder to count, but the trend lines are visible. Alberta’s Information and Privacy Commissioner has described snooping by employees in health information systems as an alarming trend. When mandatory breach reporting took effect in that province in 2018, reports ballooned: the regulator went from investigating five or six potential offences at any given time to 20 open investigations, with more than 70 additional cases flagged. The convictions tell the same story. One former clerk was fined $8,000 for accessing the health records of 81 people on 471 occasions, and in 2024 a former health employee was fined $12,000 - the third largest penalty in the history of the province’s Health Information Act. Ontario, for its part, now allows its commissioner to impose administrative penalties of up to $50,000 on individuals and $500,000 on organizations, and issued its first penalties under that power in 2025. Courts there may also award up to $10,000 in damages for mental anguish caused by wilful or reckless breaches.
What no one publishes is a count of how often unlawfully obtained health information resurfaces in family litigation. Victims describe it, lawyers encounter it, and no regulator or court service tracks it. That silence in the data is itself part of the pattern this article describes: a system that does not measure a harm is a system that never has to answer for it.
A System That Exhausts by Design
When victims suspect their privacy has been compromised, they are met with a profound systemic failure - one that seems almost engineered to exhaust them into silence. Instead of an immediate protective intervention by health authorities, the burden of investigation falls entirely on the traumatized individual.
To uncover the truth, a victim must formally request comprehensive audit logs of their health records and pharmaceutical network histories. Once they receive these dense, heavily coded logs, they are forced to become their own detectives. They must sift through hundreds of entries to identify accesses by facilities or individuals with whom they have no care relationship. Even when a victim finds clear evidence of unauthorized access - such as a hospital or pharmacy in a city they have never visited looking at their file - the governing health authorities often wash their hands of the matter.
Instead of launching a centralized investigation, health authorities routinely instruct the victim to contact each offending clinic or pharmacy directly to initiate a complaint. Compounding this burden, privacy commissions generally mandate that the victim must first allow the violator’s organization up to 30 days to respond before the commission will even consider the case.
For a survivor trying to rebuild their life, the prospect of drafting formal statements, sending faxes to multiple unknown facilities, and managing complex bureaucratic appeals is overwhelmingly paralyzing. The system demands that the victim continually relive their trauma, fighting for the basic right to privacy while navigating a labyrinth of red tape. The exhaustion is profound, and many simply give up, silenced by a process that demands too much. Despite these overwhelming hurdles, there are steps victims can take to prevent, protect, and pursue justice.
Prevention and Protection
Awareness is your strongest shield. Everyone has the right to request a complete log of all access to their electronic health records, and custodians are generally required to respond within 30 days. Requesting these logs proactively can help you establish a baseline and spot anomalies early, before a pattern of surveillance takes root.
Ask your health authority what protective measures are available for your records. In Alberta, for example, patients cannot opt out of the provincial electronic health record, but they can ask a participating care provider to apply a “mask.” When a record is masked, only basic identifiers - first and last name, date of birth, gender, and personal health number - remain automatically visible. Everything else is restricted from view, and every attempt to unmask the record is electronically logged and subject to audit. Other provinces and states offer similar masking, flagging, or consent-directive tools under different names. These mechanisms work: in the nurse’s case described above, it was the victims’ own requests for their access logs that exposed years of covert surveillance and led to a conviction.
Inquiries and Investigation
If you obtain your logs and notice unauthorized views, document them meticulously. Look for accesses from facilities where you have never been a patient, or dates of access that do not align with any medical appointments. Separate these specific entries to build a clear, factual pattern of breaches. Keep copies of everything, record the dates you send and receive correspondence, and store it all somewhere your abuser cannot reach.
Moving Forward: Action and Outcomes
Although the system requires you to contact the offending organizations directly, you do not have to confront an individual abuser. Direct your formal written complaints to the facility’s privacy officer or management. Ask them to investigate whether the access was made for an authorized purpose, confirm the authority recorded for it, and demand that all digital records of the breach be preserved.
Give them the mandated time to respond, but be prepared to escalate. If the response is inadequate or non-existent, forward your thoroughly documented case to your provincial or state information and privacy commissioner. Ask the commissioner to determine whether the unauthorized access constitutes a formal privacy breach. Finally, demand that any professional found to have abused their access be reported to their professional regulatory body - such as a college of pharmacists, physicians, or registered nurses - to ensure they face disciplinary action and cannot continue to exploit their position of trust.
When Records Reach the Family Courtroom
For parents, the stakes of a health privacy breach rarely end with the breach itself. Mental health histories, prescriptions, and therapy notes have a way of resurfacing in custody and parenting disputes, reframed as evidence of instability rather than evidence of survival. Research suggests this fear is not irrational. A study of ten years of published custody decisions in the United States found that mothers who alleged abuse - particularly child physical or sexual abuse - faced a heightened risk of losing custody, and that a father’s cross-claim of “parental alienation” roughly doubled that risk. The effect was gender specific: fathers who alleged abuse were not similarly penalized when mothers claimed alienation. Courts, in other words, have historically been capable of turning a protective parent’s own records and disclosures against them.
Canadian law has begun to respond. Since March 2021, the federal Divorce Act has explicitly defined family violence to include patterns of coercive and controlling behaviour - a definition broad enough to capture stalking, harassment, and surveillance - and requires courts to consider family violence when deciding what arrangement is in a child’s best interests. The conduct does not need to be physical, or even criminal, to matter. For a survivor, this means that documented evidence of health record surveillance is more than a privacy complaint; it can be relevant evidence of the very coercive control the court is now obliged to weigh.
Hold realistic expectations while using every available tool. Some health information may be found relevant and ordered disclosed; family courts balance privacy against a child’s best interests, and they do not always balance gently. But you and your counsel can ask the court to limit disclosure to what is genuinely relevant, to restrict the copying and further sharing of sensitive records, to keep your address and contact information out of documents your former partner will see, and to consider sealing orders or publication bans where safety justifies them. You can also ask that proven unauthorized access be put before the court for what it is - a continuation of the pattern of control that the law now names. Speak with a family law professional or a court-based family violence support worker about which protections exist in your jurisdiction, and remember that legal aid clinics and victim services organizations can often help carry the paperwork so you do not have to carry it alone.
The Firewall of Deniability
Ultimately, the final outcome of these privacy inquiries and investigations is rarely in the victims’ hands, regardless of what they think should happen or the justice they wish to see. Even when a survivor can confidently name their probable abuser, proving the connection is often an insurmountable hurdle due to a lack of direct evidence. Cunning abusers frequently evade detection by having their colleagues run the inquiries on their behalf. To these coworkers, running a quick database search might seem like a casual favour or just a routine part of the workday. This dangerous complicity creates a firewall of deniability, making it almost impossible to trace the unauthorized access back to the primary abuser. The colleagues enabling this behaviour may never grasp the severity of their actions, but for the victims and their children, the consequences of these invisible breaches are catastrophic, far-reaching, and beyond anyone’s imagination.
The path to accountability is steeped in systemic friction, designed to make victims tired. But your health information belongs to you. Acknowledging this pattern of systemic failure is the first step in demanding a system that protects the vulnerable, rather than sheltering those who abuse their power - and every audit log requested, every complaint filed, and every breach named chips away at the silence that failure depends on.
Read Further
The full research and structural analysis are available in:
The Invisible Architecture of Abuse: A Study of Systemic Failure
By Adam Sons, MBA · Systemic Press Inc., 2026
Available on Amazon Canada - see Books
If you or someone you know is experiencing domestic violence, support
is available.
Assaulted Women’s Helpline: 1-866-863-0511 (24 hours, multilingual)
Local shelter and legal support resources:
sheltersafe.ca
Works Cited
“Alberta Nurse Fined for Snooping in Patients’ Health Information.” CBC News, 6 July 2018, www.cbc.ca/news/canada/edmonton/health-information-unauthorized-access-badger-1.4737441.
“Conviction in Health Information Act Investigation.” Office of the Information and Privacy Commissioner of Alberta, oipc.ab.ca/hia-conviction-3/. Accessed 18 July 2026.
Cotter, Adam. “Intimate Partner Violence in Canada, 2018: An Overview.” Juristat, Statistics Canada, 26 Apr. 2021, www150.statcan.gc.ca/n1/pub/85-002-x/2021001/article/00003-eng.htm.
“Court Case Concludes in Sentencing for Offence under Health Information Act.” Office of the Information and Privacy Commissioner of Alberta, 2024, oipc.ab.ca/court-case-concludes-in-sentencing-for-offence-under-health-information-act/.
Department of Justice Canada. “Fact Sheet - Divorce and Family Violence.” Government of Canada, 17 May 2023, www.justice.gc.ca/eng/fl-df/fsdfv-fidvf.html.
---. “Making Appropriate Parenting Arrangements in Family Violence Cases: Applying the Literature to Identify Promising Practices.” Government of Canada, 2023, www.justice.gc.ca/eng/rp-pr/jr/mapafvc-cbapcvf/review-analyse.html.
Duhatschek, Paula. “For Years, Canada’s Divorce Act Didn’t Mention Family Violence. That Changes Today.” CBC News, 1 Mar. 2021, www.cbc.ca/news/canada/kitchener-waterloo/divorce-act-family-violence-law-1.5927930.
“First Administrative Monetary Penalty Issued under Ontario’s Health Privacy Law.” Information and Privacy Commissioner of Ontario, 2 Sept. 2025, www.ipc.on.ca/en/resources/first-administrative-monetary-penalty-issued-under-ontarios-health-privacy-law.
“Information and Privacy Commissioner Publishes 2023-24 Annual Report.” Office of the Information and Privacy Commissioner of Alberta, 2024, oipc.ab.ca/information-and-privacy-commissioner-publishes-2023-24-annual-report/.
Meier, Joan S. “U.S. Child Custody Outcomes in Cases Involving Parental Alienation and Abuse Allegations: What Do the Data Show?” Journal of Social Welfare and Family Law, vol. 42, no. 1, 2020, doi:10.1080/09649069.2020.1701941.
“Netcare: Know Your Rights.” Office of the Information and Privacy Commissioner of Alberta, oipc.ab.ca/resource/netcare-know-your-rights/. Accessed 18 July 2026.
“Potential Consequences of a Breach under PHIPA.” Information and Privacy Commissioner of Ontario, 26 Aug. 2024, www.ipc.on.ca/en/health-organizations/responding-to-a-privacy-breach/potential-consequences-of-a-breach-under-phipa.
“Privacy and Security for Alberta Netcare.” Alberta Netcare, www.albertanetcare.ca/patientprivacy.htm. Accessed 18 July 2026.
“Reports of Health-Care Privacy Breaches Spike in Alberta.” CBC News, 2019, www.cbc.ca/news/canada/calgary/health-care-privacy-breaches-spike-alberta-1.5316230.
“Unauthorized Access.” Information and Privacy Commissioner of Ontario, 30 Apr. 2024, www.ipc.on.ca/en/health-organizations/unauthorized-access.