- Quick take: A massive data breach in Ontario left the medical records of 3.4 million people exposed, highlighting vulnerabilities in the MOVEit file transfer software.
- Core insight: BORN Ontario revealed that the personal health information of those seeking pregnancy care and newborns was compromised, and experts suggest that this breach could’ve been prevented if the data was anonymized.
- What’s next: As consequences of this breach can span beyond Ontario, individuals need to remain vigilant, regularly monitor their accounts, and be wary of potential misuse of their information in the future.
In Ontario, a severe data breach left the medical records of mothers, newborn infants, and those seeking pregnancy solutions vulnerable. This extensive cyber infringement, exposing delicate health particulars, could have been averted entirely, claim security authorities in Canada.
The Better Outcomes Registry & Network (BORN) on Monday revealed that 3.4 million people — mostly those seeking pregnancy care and newborns who were born in Ontario — had their personal health information compromised in May.
“This is appalling. The personal health information that was copied was collected from a large network of mostly Ontario health-care facilities,” commented Ann Cavoukian, former Information and Privacy Commissioner of Ontario.
Ann pointed out that if BORN had anonymized the data by removing identifiable specifics such as names, health ID numbers, and residential details, it would have offered the “strongest protection” during a data breach incident.
“They didn’t say that they de-identified the data and that’s the very least they should have done,” Cavoukian added.
The stolen health records may encompass details like names, residential addresses, birth dates, health ID numbers (minus the version codes), laboratory test results, risks associated with pregnancies, birth types, procedures conducted, and eventual outcomes, as disclosed by BORN in their recent statement.
As per the latest updates, no platform or accessible database has been provided for the public to conclusively determine if their personal data was exposed. BORN, an entity financially supported by the provincial government, plays a pivotal role in accumulating data about pregnancies and childbirth occurrences within Ontario. They confirmed on Monday about a cyber infringement on May 31, 2023, that led to the unwanted exposure of health records of 1.4 million individuals inquiring about pregnancy and an additional 1.9 million newborns in the region.
The cyber culprits duplicated health-related information spanning fertility, pregnancy, newborn care, and child health, which resided on a server from January 2010 to May 2023.
Upon discovering this data breach, BORN promptly updated the public through a notice on their official site and engaged the Ontario Provincial Police (OPP) and the Information and Privacy Commissioner of Ontario (IPC) about the situation.
A spokesperson from the Office of the Information and Privacy Commissioner of Ontario told Global News in an email Tuesday that it was notified of the breach on June 14, and promptly opened a file to look further into the matter.
“Given that our investigation is in progress, we are unable to provide additional details at this time. BORN began notifying affected individuals yesterday,” the spokesperson stated.
Ann Cavoukin voiced her apprehension regarding the noticeable delay in notifying the public about this security breach.
“I’m shocked… in May they apparently contacted the OPP and the Information Commissioner of Ontario, and we heard squat from them,” she commented.
Meanwhile, Brett Callow, a cybersecurity expert with Emsisoft based on Vancouver Island, highlighted that the implications of this breach transcend the boundaries of Ontario, considering the compromised data spans as far back as 2010.
“It’s inevitable, as some of the people who were in Ontario at the time they became pregnant or had a baby, will have since moved elsewhere. People should be aware that their data may be out there that could potentially be misused. And just be super cautious — monitor bank accounts more closely and be on the lookout for any suspicious activity at all,” he stated.
Currently, there’s no concrete information about the potential use of the compromised data, and no signs of it appearing on the dark web according to Callow.
“That could change, though, at any point in time. And while this information wouldn’t be easy to be used for identity fraud, it could potentially be combined with other information and misused in that way,” he told.
How did BORN Ontario data breach happen?
The data exposure occurred due to a widespread breach of the file transfer application, MOVEit.
Produced by the Massachusetts-based firm Progress Software, MOVEit enables organizations to securely transfer files and data internally and to clients. BORN utilized this software specifically “to perform secure file transfers. ”
However, during this transfer process, hackers managed to duplicate select files from a server owned by BORN.
The range of affected health-care establishments included hospitals, midwife clinics, fertility centers, and prenatal genetic testing labs. BORN has detailed these on their official website.
“It’s baffling that such sensitive data would be stored on a file transfer tool. If there’s no immediate need for the data to be accessible, better to archive and store it more securely, possibly offline,” Brett Callow stated.
Many entities such as governmental bodies, the private sector, and banking institutions rely on MOVEit for file transfer. Callow noted that while the data on it might have been encrypted, the hackers still managed to penetrate it.
“They discovered the vulnerability in this that enabled them to exploit and compromise a lot of organizations very quickly,” Callow said.
In the past, the cyber-offenders, identified as the Clop ransomware gang, asserted that they had eliminated all data originating from governmental and police entities related to the MOVEit incident. Yet, Callow expressed skepticism regarding the veracity of this claim.
“Given that they are cybercriminals, it would be a mistake to believe them. The safest assumption would be that they are still in possession of that data and may use it some way at some future point,” he said.
Post the significant MOVEit data breach in May, numerous organizations worldwide felt the repercussions, Callow said. This list encompasses a U.S. government contractor, multiple U.S. educational institutions, and insurance firms.
Additionally, in June, the Nova Scotia government reported a breach of personal data due to a global privacy lapse associated with the MOVEit application.
Several healthcare providers in Ontario, including hospitals, midwife clinics, fertility centers, and Neonatal Intensive Care Units (NICU), have been affected by the data breach related to BORN.
Global News reportedly gathered responses from various care providers about the breach’s implications for patients and the subsequent steps they’ve taken to mitigate the concerns.
TRIO Fertility, with a network of 10 fertility clinics throughout Ontario, mentioned on their website that BORN has formally apologized to all their patients. They emphasized treating this incident with the highest level of seriousness and concern.
In a public statement, Unity Health Toronto conveyed, “We are among the many Ontario healthcare providers that share personal health information with BORN Ontario related to pregnancy, birth and newborn care – important healthcare encounters that can affect lifelong health.”
Additionally, a representative from Trillium Health Partners made it known that they’re fully cognizant of the BORN Ontario cybersecurity incident. They advised patients and their families, who have queries or concerns, to directly get in touch with BORN. They provided a contact number, 1-833-686-0106, and an email address, [email protected], for the same.
What can you do following a data breach?
On its official website, BORN has clarified that they are consistently scanning online platforms, inclusive of the dark web, to identify any signs of the compromised data being utilized or put up for sale. Until this moment, there’s been no indication of the leaked data appearing anywhere.
BORN has assured affected individuals by saying,“There are no additional steps you need to take.”
However, they’ve emphasized the constant need for alertness when it comes to safeguarding personal information. This includes regularly monitoring online accounts for any anomalies and promptly reporting any suspicious activities to the appropriate authorities and service providers. BORN also gave a clear warning, saying they will never initiate contact via email, text, or phone calls to request any sensitive personal details.
2023 has witnessed a surge in digital security challenges, with several prominent firms experiencing cyber-attacks and data leaks. Companies like Twitter, Sony, Dymocks, MGM, and Rollbar have faced these breaches.
Likewise, Nookazon, Forever 21, Duolingo, Discord.io, LifeLabs, PSNI, Maximus, Oregon DMV, and CoWIN have also been affected, underscoring the critical need for enhanced cybersecurity defenses.
Featured image credit: Kerem Gülen/Midjourney