BORN Ontario Cybersecurity Incident
BORN Ontario is a prescribed perinatal and child registry that is funded by the province’s Ministry of Health. BORN Ontario was the victim of a cybersecurity incident earlier this year and your information may have been impacted. The incident was caused by a vulnerability in the file transfer software BORN Ontario utilized, called MOVEit.
We are among the many Ontario healthcare providers that share personal health information with BORN Ontario related to pregnancy, birth and newborn care – important healthcare encounters that can affect lifelong health. BORN collects data from healthcare providers pursuant to the authority afforded to it in the Personal Health Information Protection Act (PHIPA). BORN Ontario uses this information to identify immediate care gaps affecting individuals, link information to appropriate care providers, perform health system quality assurance, and analyze data for emerging trends.
For specific details about the incident, and to find out if your or someone in your family’s information may have been impacted, please visit the BORN Ontario website www.bornincident.ca
BORN Ontario provides update on cybersecurity incident
BORN Ontario, today, is providing an update on the cybersecurity incident that it experienced in late May and its impact on Ontarians.
The incident was the result of the recent global MOVEit file transfer software vulnerability exploit. BORN Ontario used the MOVEit software to transfer information in its possession to authorized care and research partners. As a result of the exploit, unauthorized parties were able to copy certain files from one of BORN’s servers. Data in the copied files included personal health information collected from primarily Ontario fertility, pregnancy, and child health care providers. These providers regularly contribute critical health information to the BORN Ontario perinatal and child health registry, pursuant to the authority afforded to BORN in the Personal Health Information Protection Act (PHIPA).
An in-depth analysis revealed that the copied files included personal health information of approximately 3.4 million people – mostly those seeking pregnancy care and newborns who were born in Ontario.
Individuals were likely impacted by this privacy breach if they:
Gave birth or had a child born in Ontario between April 2010 and May 2023.
Received pregnancy care in Ontario between January 2012 and May 2023.
Had in-vitro fertilization or egg banking in Ontario between January 2013 and May 2023.
Data privacy is paramount to everything we do at BORN Ontario. We began working with cybersecurity experts immediately after discovering this incident to understand its full scope and to ensure our systems were safe. We reported the incident to the Office of the Information and Privacy Commissioner of Ontario, and they are reviewing the matter. At this time, there is no evidence that any of the data copied from BORN’s systems has been misused for any fraudulent purposes. We continue to monitor the dark web for any activity related to this incident.
For specific details about the incident, and to find out if your or a family members’ data may have been impacted, please visit the BORN Ontario website bornincident.ca.
“The work we do is intended to make Ontario one of the safest places in the world to have a baby and provide the best possible beginnings for lifelong health,” said Alicia St.Hill, Executive Director, BORN Ontario. “We deeply apologize for this incident and are treating this matter with the utmost concern. While attacks on third-party software are difficult to prevent, we have taken measures to further strengthen our security controls to limit the potential for this type of incident to happen again.”
Please visit bornincident.ca for more details.