A network containing the personal health information of millions of people in Ontario has been hacked, compromising a decade’s worth of medical records.
The data breach was reported by the Better Outcomes Registry and Network (BORN), which collects pregnancy, birth and early childhood information from all maternity hospitals in the province for research and policy planning to improve care.
Funded by the Ministry of Health and overseen by the Children’s Hospital of Eastern Ontario, the network bills itself as a database of “the most comprehensive mother-child health information in the world” collected by physicians across the province.
However, this information ended up in the hands of an unauthorized third party who gained access to MoveIt, a file transfer app used by BORN and countless other companies.
The network is just one of the many organizations affected by the mass attack, along with hundreds of universities, several life insurance companies, two U.S. public pension systems and anyone with an Oregon driver’s license.
And last year, about 100,000 people in Nova Scotia had their Social Security numbers, banking information, addresses and more stolen in a hack of the same software.
“An in-depth analysis found that the files copied during the breach contained personal health information for approximately 3.4 million people – primarily those seeking maternity care and newborns born in Ontario between January 2010 and May 2023,” BORN wrote in a statement about the crime on Monday.
“The copied personal health information was collected from a large network of health facilities and providers, primarily in Ontario, in the areas of fertility, pregnancy, newborn and child health.”
BORN Ontario was affected by a cybersecurity breach earlier this year. BORN is Ontario’s Birth and Child Health Registry and collects information from a network of healthcare providers in Ontario as part of the…
— BORN Ontario (@BORNOntario) September 25, 2023
The group has reassured residents that it does not currently believe the copied data was used for fraud purposes, but continues to monitor the internet for suspicious activity.
Up until this point, the network had ironically prided itself on its security, operating under the province’s Personal Health Information Protection Act with the authority to “collect, use and disclose personal health information without consent in order to facilitate or improve the provision” . of health care.”
“BORN Ontario is proud to be a trusted steward of personal health information,” their website states.
“[We] have implemented a rigorous program to protect personal health information from theft, loss, unauthorized access, copying, modification, use, disclosure and disposal. The Registry’s information practices and procedures are approved every three years by the Information and Privacy Commissioner of Ontario. “
The incident follows similar data breaches that have occurred at Air Canada, the LCBO and others in the last few weeks alone.