Ontario’s government-funded birth registry has confirmed a data breach affecting some 3.4 million people who sought pregnancy care, including the personal health data of close to two million newborns and children across the Canadian province.
BORN Ontario said in a statement on Monday that hackers copied more than a decade’s worth of data including fertility, pregnancy, newborn and child healthcare offered between January 2010 and May 2023.
News of the breach comes after the incident was discovered on May 31. It’s not known for what reason BORN took months to notify affected individuals that their information was compromised.
BORN attributed the cyberattack to the mass-hack targeting MOVEit, a file transfer tool used by organizations to share large datasets over the internet. The notorious Russian-linked ransomware and extortion group Clop claimed responsibility for the MOVEit mass-hacks, but has not yet claimed BORN as one of its victims, according to a review of its dark web leak site that it uses to threaten to publish the victims’ stolen data in exchange for paying a ransom.
BORN collects data from healthcare providers, labs and hospitals that offer pregnancy care and healthcare for children. This data is then provided to healthcare providers to guide and improve care.
The organization said it contacted law enforcement and disclosed the incident to Ontario’s privacy watchdog, the Information and Privacy Commissioner, which oversees BORN. In a statement issued late Monday, the Information and Privacy Commissioner of Ontario Patricia Kosseim said her office was notified of the incident on June 14. When reached by TechCrunch, IPC spokesperson Jason Papadimos declined to answer any of our questions.
It’s not clear if BORN received a ransom demand or paid the cybercriminals. BORN Ontario spokesperson Tammy Kuepfer did not return a request for comment.
BORN said that individuals affected include those who gave birth or whose child was born between April 2010 and May 2023; those who received pregnancy care between January 2012 and May 2023; and those undergoing IVF or egg banking procedures between January 2013 and May 2023. BORN said there was still a chance that a child’s information was compromised if the child received care between 2010 and 2023.
The cybercriminals stole names, dates of birth, addresses and postal codes, and health card numbers, the organization confirmed. The clinical information stolen includes dates of care and service, lab test results, pregnancy risk factors, type of birth, procedures, and pregnancy and birth outcomes and associated care.
The MOVEit mass-hack has claimed more than 60 million affected individuals so far, though given only a fraction of affected organizations have disclosed their incidents, the number of victims is likely to be significantly higher.
More than a thousand organizations, including U.S. federal agencies, which relied on the affected MOVEit software, are affected by the mass-hack. Clop is said to have discovered a vulnerability in the software that allowed the cybercriminals to scan the internet for affected devices and mass raid the data inside. Clop is also responsible for hacking at least two other file transfer tools in recent years.
Allan Liska, a threat intelligence analyst at Recorded Future, said at TechCrunch’s Disrupt conference in San Francisco on Thursday that file transfer tools like MOVEit are supposed to be a temporary platform to transfer data, but that many organizations had data sitting on those servers for years.
“Understanding where and how your data is being stored, who has your data, and so on is an additional challenge that organizations have to deal with,” Liska said.
According to the latest data from security firm Emsisoft, BORN is the sixth largest breach of data by individuals affected in the MOVEit mass-hacks, behind Maximus, Alogent and the states of Louisiana, Colorado and Oregon. Last week, the National Student Clearinghouse said that its MOVEit-related data breach affected almost 900 schools across the United States.
Updated with comment from the Information and Privacy Commissioner of Ontario.
Comment