BORN Ontario data breach left health data of millions exposed. What went wrong?

A massive cyberattack that left the health data of mothers, newborn babies and parents seeking fertility treatment exposed, could have been entirely prevented if more protective measures were put in place, according to Canadian security experts.

The Better Outcomes Registry & Network (BORN) on Monday revealed that 3.4 million people — mostly those seeking pregnancy care and newborns who were born in Ontario — had their personal health information compromised in May.

“This is appalling,” said Ann Cavoukian, Ontario’s former information and privacy commissioner. “The personal health information that was copied was collected from a large network of mostly Ontario health-care facilities.“

If BORN had de-identified the data by stripping personal details such as names, health care numbers and addresses, it would have provided the “strongest protection” in the event of a data breach, she said.

“They didn’t say that they de-identified the data and that’s the very least they should have done,” Cavoukian added.

The health-care information that was stolen may have included data such as names, addresses, date of birth, health card number (with no version code), lab results from screening and diagnostic testing, pregnancy risk factors, type of birth and procedures and birth outcomes, BORN said in a statement posted Monday.

As of publication time, there was no searchable database or clear way for the public to definitively find out if their information was compromised.

1:44 Cyber security experts say ransomware data breach in health care sector is a lesson for everyone

BORN, an agency funded by the province, is responsible for gathering data related to pregnancies and births within Ontario. On Monday, it said a cybersecurity breach on May 31, 2023, had led to the exposure of data concerning 1.4 million people seeking pregnancy care and 1.9 million infants born in the province.

The cybercriminals copied data including fertility, pregnancy, newborn and child health care stored in a server between January 2010 and May 2023.

Once learning about the breach, BORN said it posted a public notice on its website and informed the Ontario Provincial Police (OPP) and the Information and Privacy Commissioner of Ontario (IPC).

Global News reached out to BORN for comment about the data breach but did not hear back by the time of publication.

A spokesperson from the Office of the Information and Privacy Commissioner of Ontario told Global News in an email Tuesday that it was notified of the breach on June 14, and “promptly opened a file to look further into the matter.”

“Given that our investigation is in progress, we are unable to provide additional details at this time,” the spokesperson said. “BORN began notifying affected individuals yesterday.”

Cavoukin expressed concern about how long it took for the public to become aware of this hack.

“I’m shocked… in May they apparently contacted the OPP and the Information Commissioner of Ontario, and we heard squat from them,” she said.

2:29 Data breach at LifeLabs possibly affects thousands of Ontarians

Brett Callow, a Vancouver Island-based threat analyst with cybersecurity company Emsisoft, said another important aspect of this breach is that it’s not limited to Ontario alone, given that the stolen data dates back to 2010.

“It’s inevitable, as some of the people who were in Ontario at the time they became pregnant or had a baby, will have since moved elsewhere,” he said.

“People should be aware that their data may be out there that could potentially be misused. And just be super cautious — monitor bank accounts more closely and be on the lookout for any suspicious activity at all,” he added.

It’s not known how this information is being used and there is currently no evidence of it surfacing on the dark web, Callow said.

“That could change, though, at any point in time. And while this information wouldn’t be easy to be used for identity fraud, it could potentially be combined with other information and misused in that way,” he warned.

The leak was the result of an international breach of file transfer software MOVEit.

The MOVEit software, made by a Massachusetts-based company Progress Software, allows organizations to transfer files and data between employees, departments and customers. BORN said it uses the software “to perform secure file transfers. ”

Because of the file transfer, the hackers were able to copy certain files from one of BORN’s servers.

The health care providers impacted ranged from midwifery practices and hospitals to fertility clinics and prenatal genetic screening labs. A full list is provided on its website.

“You have to wonder why that type of information would be stored in a file transfer application,” Callow said. “If that information no longer needs to be live, archive it, put it somewhere more secure, take it offline. ”

Many organizations, like governments, the private sector and banks, use MOVEit to transfer files, he said. And although the information was probably encrypted, the cybercriminals were still able to hack it.

“They discovered the vulnerability in this that enabled them to exploit and compromise a lot of organizations very quickly,” Callow said, adding BORN was not the only agency affected by the hack.

Previously, the cybercriminals, known as the Clop ransomware group, stated they had destroyed all data that came from governments and police departments related to the MOVEit breach, Callow said.

3:30 Personal information of B.C. health-care workers potentially stolen in cyber attack

However, he does not know “whether there was any accuracy to that claim.”

“Given that they are cybercriminals, it would be a mistake to believe them. The safest assumption would be that they are still in possession of that data and may use it some way at some future point,” he said.

Since the massive data breach of MOVEit in May, Callow said thousands of organizations have been affected by this, including a United States government contractor, U.S. colleges and universities and insurance companies.

Hospitals, midwife practices, fertility clinics and Neonatal Intensive Care Units (NICU), are just some of the health-care providers impacted by the BORN data hack.

Global News reached out to multiple care providers inquiring about the impact on patients and the measures taken to address potential concerns.

TRIO Fertility, which has 10 fertility clinics across Ontario, said BORN has apologized to all patients on its website and is “treating this matter with the utmost concern.”

In a statement on its website, Unity Health Toronto said, “We are among the many Ontario healthcare providers that share personal health information with BORN Ontario related to pregnancy, birth and newborn care – important healthcare encounters that can affect lifelong health.”

And a spokesperson from Trillium Health Partners said the organization is “aware of the BORN Ontario cybersecurity breach. At this time, patients and families with concerns or questions are asked to contact BORN by calling 1-833-686-0106 or emailing inquiries@bornontario.ca.”

On the BORN website, the agency said it continues to monitor the internet, including the dark web, for any activity related to the hack. So far no data has been posted or offered for sale.

“There are no additional steps you need to take,” BORN stated.

The agency said it is “important to always remain vigilant in protecting your information by monitoring your online accounts and reporting any unusual activity to the police and service providers. BORN will never contact you by email, text, or phone requesting any sensitive personal information.”

For those impacted by the data breach, Cavoukian recommends filing a complaint to the Ontario Ministry of Health and the IPC.

“Privacy is essential,” she said. “But we won’t know if this will happen again. It should never have happened in the first place.”

— with files from the Canadian Press and Global News reporter Uday Rana