Decade of Newborn Child Registry Data Stolen in MOVEit Mass-Hack
Ontario’s government-funded birth registry, BORN Ontario, has confirmed a data breach affecting approximately 3.4 million people who sought pregnancy care, including the personal health data of close to two million newborns and children across the Canadian province. The breach, discovered on May 31, involved hackers copying over a decade’s worth of data, including fertility, pregnancy, newborn, and child healthcare information provided between January 2010 and May 2023.
The cyberattack was attributed to a mass-hack targeting MOVEit, a file transfer tool used by organizations to share large datasets over the internet. The notorious Russian-linked ransomware and extortion group, Clop, claimed responsibility for the MOVEit mass-hacks but has not yet claimed BORN as one of its victims. BORN collects data from healthcare providers, labs, and hospitals that offer pregnancy care and healthcare for children. The stolen information includes names, dates of birth, addresses, postal codes, health card numbers, and clinical data such as dates of care and service, lab test results, pregnancy risk factors, type of birth, procedures, and pregnancy and birth outcomes.
BORN said that individuals affected include those who gave birth or whose child was born between April 2010 and May 2023, those who received pregnancy care between January 2012 and May 2023, and those undergoing IVF or egg banking procedures between January 2013 and May 2023. There is also a chance that a child’s information was compromised if they received care between 2010 and 2023.
The MOVEit mass-hack has already affected more than 60 million individuals, with over a thousand organizations, including US federal agencies, impacted by the breach. Clop exploited a vulnerability in the software to scan the internet for affected devices and access the data inside. File transfer tools like MOVEit are meant to be temporary platforms for data transfer, but many organizations had data stored on these servers for years.
BORN has contacted law enforcement and disclosed the incident to Ontario’s privacy watchdog, the Information and Privacy Commissioner. It is unclear when the IPC learned of the breach. The organization has not confirmed if a ransom demand was made or if any payment was made to the cybercriminals.
Security firm Emsisoft ranks the BORN breach as the sixth largest in terms of individuals affected in the MOVEit mass-hacks. The incident highlights the ongoing challenge organizations face in understanding where and how their data is stored and who has access to it.