A cybersecurity incident at a new child registry some months ago has resulted in a privacy breach involving 3.4 million Ontarians, investigations revealed.
The Better Outcomes Registry & Network (BORN) Ontario, today, provided an update on the data breach that it experienced on May 31.
“The incident was the result of the international breach of a vulnerability in the MOVEit file transfer software used to transfer information in its possession to authorized care and research partners,” BORN said in a statement. “As a result of the incident, unauthorized parties were able to copy certain files from one of BORN’s servers.”
Data in the copied files included personal health information collected from primarily Ontario fertility, pregnancy, and child health care providers, according to the BORN statement.
An in-depth analysis by BORN revealed that the copied files included personal health information of approximately 3.4 million people – mostly those seeking pregnancy care and newborns who were born in Ontario.
Individuals are likely impacted by this privacy breach if they:
- Gave birth or have a child born in Ontario between April 2010 and May 2023
- Received pregnancy care in Ontario between January 2012 and May 2023
- Had in-vitro fertilization or egg banking in Ontario between January 2013 and May 2023
The agency says that the MOVEit software is no longer in use at BORN and the incident was reported to the Office of the Information and Privacy Commissioner of Ontario.
“At this time, there is no evidence that any of the data copied from BORN’s systems has been misused for any fraudulent purposes,” BORN stated adding that experts have been engaged to monitor the dark web for any activity related to this incident.
BORN has created specific website – bornincident.ca.- for details about the incident and to help clients determine if they may have been affected.
“We deeply apologize for this incident and are treating this matter with the utmost concern,” said Alicia St.Hill, Executive Director, BORN Ontario. “While attacks on third-party software are difficult to prevent, we have taken measures to further strengthen our security controls to prevent this type of incident from happening again.”