BORN Ontario says personal data of 3.4 million people affected by MOVEIt breach

It revealed which groups were impacted

BORN Ontario says personal data of 3.4 million people affected by MOVEIt breach



Ontario’s prescribed perinatal, newborn, and child registry has revealed that a data breach has compromised the personal health information of around 3.4 million people. 

The Better Outcomes Registry and Network (BORN) Ontario shared an update on the cybersecurity incident, part of worldwide MOVEIt hack, that occurred on May 31.

The registry most of the impacted individuals were either seeking pregnancy care or were newborns.

"We deeply apologize for this incident and are treating this matter with the utmost concern,” said Alicia St. Hill, executive director of BORN Ontario.

What happened in BORN Ontario’s cybersecurity breach?

BORN Ontario said it used the MOVEIt file transfer software to transfer information to authorized care and research partners.

During the incident, files were copied by unauthorized parties from one of its servers, BORN Ontario said.

These files included personal health information that were collected from Ontario fertility, pregnancy, and child health care providers that regularly contributed health information to them in line with the Personal Health Information Protection Act (PHIPA).

Individuals whose data were most likely impacted by the data breach include:

• Gave birth or have a child born in Ontario between April 2010 and May 2023.

• Received pregnancy care in Ontario between January 2012 and May 2023.

• Had in-vitro fertilization or egg banking in Ontario between January 2013 and May 2023.

“While attacks on third-party software are difficult to prevent, we have taken measures to further strengthen our security controls to prevent this type of incident from happening again,” said St. Hill.

BORN Ontario said it is no longer using the MOVEit software. The registry has also reported the incident to the Office of the Information and Privacy Commissioner of Ontario, which is reviewing the matter.

The registry also assured the public that it does not collect information that can be used by fraudulent activity such as:

• Credit card, banking, or financial information

• Social insurance numbers

• OHIP version codes, expiry dates, or 9-digit security number on the back of the card

• Patient email addresses or passwords

At the moment, there is still no evidence that stolen data has been misused for any fraudulent purposes, BORN Ontario said.

The registry also said it has been engaging with experts to monitor any activity that may be related to the incident.

What are your thoughts about this? Leave a comment down below.


Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!