An Ontario agency that collects data on pregnancies and births in the province says a cybersecurity breach earlier this year resulted in a leak of personal health information of approximately 3.4 million people.
The Better Outcomes Registry and Network Ontario said Monday that the breach in May resulted in information leaked largely regarding approximately 1.4 million people seeking pregnancy care and 1.9 million newborns born in the province.
The leak was the result of an international breach of file transfer software MOVEit, which the perinatal and child registry said it used to send information to authorized care and research partners.
"As a result of the incident, unauthorized parties were able to copy certain files from one of BORN's servers," BORN Ontario, which is funded by the Ministry of Health, wrote in a news release.
"Data in the copied files included personal health information collected from primarily Ontario fertility, pregnancy, and child health care providers."
Individuals are most likely to be affected by the privacy breach if they gave birth or had a child born between April 2010 to May 2023, received pregnancy care in Ontario between January 2012 and May 2023 or had in-vitro fertilization or egg banking between January 2013 and May 2023.
BORN Ontario said the compromised software is no longer in use and the breach has been reported to the Information and Privacy Commissioner's office, which is reviewing it. There is no evidence to date that the copied data has been misused for fraud, it added.
"We have engaged experts to monitor the dark web for any activity related to this incident," it said, adding BORN does not collect the type of information usually sought by cybercriminals for fraud, such as credit card or banking information, social insurance numbers, OHIP codes or patient email addresses or passwords.
However, breached information could include names, addresses, postal codes, birth dates and health-care numbers, according to information site bornincident.ca. It may have also included information on service or care dates, lab test results, procedures, pregnancy risk factors and birth outcomes.
There are no additional steps that need to be taken for those affected, and BORN Ontario said it consulted with industry experts and determined the type of information copied has minimal risk of leading to identity theft or fraud, according to the site. A hotline is available for more information.
"While attacks on third-party software are difficult to prevent, we have taken measures to further strengthen our security controls to prevent this type of incident from happening again," BORN Ontario executive director Alicia St. Hill wrote in a statement.
"We deeply apologize for this incident and are treating this matter with the utmost concern."
This report by The Canadian Press was first published Sept. 25, 2023.
Tyler Griffin, The Canadian Press