February 2024 Update 
Our investigation is complete, and we have shared information with those affected through public channels.  We deeply regret any inconvenience that this incident has caused. If you have questions, please contact us at privacy@bornontario.ca

Late evening on May 31, BORN Ontario, the provincial perinatal, newborn and child registry, was made aware of a global vulnerability within the MOVEit data transfer software by Progress Software, an external software vendor used by BORN Ontario for the secure transfer of data files with authorized partners.  

The MOVEit data transfer software is used across the world by governments, private sector organizations and multinationals. Public reports suggest the MOVEit vulnerability has affected well over 2,500 organizations globally and advisories have been published by the Canadian Centre for Cyber Securityand other cybersecurity government agencies. 

In response, BORN Ontario immediately took steps to isolate systems, contain the threat, and launched an investigation by third-party cybersecurity experts to understand the scale of this matter. BORN has reported the incident to law enforcement and Ontario’s Information and Privacy Commissioner.  

The MOVEit vulnerability allowed unauthorized malicious third-party actors to access and copy files of personal health information contained in BORN Ontario records which had been transferred using the secure file transfer software.  

The investigation to date confirms that files being transferred using the MOVEit secure file transfer software were affected. The BORN Information System (BIS) was not compromised.

The affected MOVEit FTP Server that was exploited has been decommissioned.  The server will remain offline until changes to file transfer protocol are investigated and transfer operations are deemed safe to continue under updated configuration.

Patient privacy is of the utmost importance to us, and we know this event may raise many questions.

We are working with cybersecurity experts and data analysts to determine what information was taken and the number of individuals, practitioners, and organizations impacted.  We continue to work with our data partners as we address this incident and respond to it.  

We will share more information as soon as we can. BORN Ontario is not yet able to provide any information about the individuals affected by this incident as our investigation continues. The BORN Information system and other applications accessed from within are back in full operation and were not affected by this incident.

PLEASE NOTE: BORN Ontario will not ask for your drivers license, health card number, SIN, banking information, payment, or other personal information. BE AWARE: Following a cybersecurity incident sometimes there are phishing or scam attempts that try to use a privacy breach to steal additional information. Be safe and don’t share your personal information if asked.

 

About BORN Ontario

BORN is short for ‘Better Outcomes Registry & Network.’ As a provincial registry, BORN collects, interprets and shares important data about pregnancy, early development and child health. Its vision is ‘the best possible beginnings for lifelong health.’ The health-care information BORN collects, like other similar registry systems around the world, enables it to act as a safety net identifying gaps and discrepancies in care, feeding into rich quality assurance programs, monitoring and providing feedback on health system performance, informing health policy, and to support research that informs perinatal care and child health. BORN provides relevant and timely evidence to bridge the gap between science, policy, and practice. BORN Ontario is a provincially-funded program based at CHEO.

BORN Ontario does not collect:

  • Health card version codes, expiry dates, or the 9-digit security number on the back
  • images of health cards
  • Credit card information
  • Banking information
  • Social insurance numbers