The Better Outcomes Registry & Network (BORN) Ontario issued a comprehensive update today regarding a cybersecurity incident that occurred on May 31, 2023.
The incident stemmed from an international breach that targeted a vulnerability within the MOVEit file transfer software, a platform used by BORN Ontario to facilitate the secure exchange of information with authorized care and research partners. As a result of this breach, unauthorized entities gained access to and copied specific files from one of BORN’s servers. Among the data copied were personal health records, primarily collected from Ontario’s fertility, pregnancy, and child health care providers. These providers routinely contributed vital health information to the BORN Ontario perinatal and child health registry, as authorized under the Personal Health Information Protection Act (PHIPA).
A thorough investigation revealed that the copied files contained personal health information for approximately 3.4 million individuals, predominantly encompassing those seeking pregnancy care and newborns born in Ontario.
Individuals may be affected by this privacy breach if they:
- Gave birth or have a child born in Ontario between April 2010 and May 2023.
- Received pregnancy care in Ontario between January 2012 and May 2023.
- Underwent in-vitro fertilization or egg banking in Ontario between January 2013 and May 2023.
Safeguarding data privacy is of paramount importance to BORN Ontario. Following the discovery of the incident, BORN immediately initiated collaboration with cybersecurity experts to comprehend the full extent of the breach and to reinforce system security. Notably, BORN Ontario has discontinued the use of the MOVEit software. The incident has been reported to the Office of the Information and Privacy Commissioner of Ontario, who is currently conducting a review. At present, there is no evidence to suggest that the copied data from BORN’s systems has been exploited for fraudulent activities. BORN has engaged experts to continuously monitor the dark web for any suspicious activity related to this breach. It’s crucial to note that the incident did not compromise or involve the following types of data typically sought by cybercriminals for identity theft purposes:
- Credit card, banking, or financial information.
- Social insurance numbers.
- OHIP version codes, expiry dates, or the 9-digit security number on the back of the card.
- Patient email addresses or passwords.
For detailed information about the incident and to determine if your personal information or that of a family member may have been affected, please visit bornincident.ca.
Alicia St.Hill, Executive Director of BORN Ontario, expressed the organization’s commitment to ensuring the safety of maternal and child healthcare data, stating, “Our work helps us learn how the care we provide today affects our health tomorrow. We want Ontario to be one of the safest places in the world to have a baby and to provide the best possible beginnings for lifelong health. We deeply apologize for this incident and are treating this matter with the utmost concern. While attacks on third-party software are difficult to prevent, we have taken measures to further strengthen our security controls to prevent this type of incident from happening again.”
For further information, please visit bornincident.ca for updates on this developing situation.