A significant data breach at the Better Outcomes Registry & Network (BORN) in Ontario has exposed the personal health information of approximately 3.4 million individuals, primarily those seeking pregnancy care and newborns born in the province. Security experts argue that the breach could have been prevented with better protective measures in place.
Global News covers the topic in detail, bringing in Ann Cavoukian, Ontario’s former information and privacy commissioner, who criticized BORN for failing to de-identify the data, which could have provided stronger protection in case of a breach. The compromised health information included names, addresses, dates of birth, health card numbers, lab results, pregnancy risk factors, and more.
As of the article’s publication, there was no clear way for the affected individuals to determine if their information was compromised. BORN, a provincial agency responsible for gathering pregnancy and birth-related data, reported that the breach occurred on May 31, 2023, affecting 1.4 million people seeking pregnancy care and 1.9 million infants born in the province.
The breach was attributed to a vulnerability in the MOVEit file transfer software, used by BORN for secure file transfers. While the information was likely encrypted, cybercriminals still managed to exploit the vulnerability and compromise numerous organizations, not limited to Ontario. The breach dated back to 2010, potentially impacting individuals who had moved since then.
Cybersecurity experts expressed concerns about the potential misuse of stolen data, although there was no evidence of it appearing on the dark web at the time. The data could be combined with other information for identity fraud.
Cavoukian voiced her dismay over the delay in informing the public about the breach, as it occurred in May but only came to light later. Affected individuals were urged to monitor their online accounts for unusual activity and report it to the police and service providers. Cavoukian recommended filing complaints with the Ontario Ministry of Health and the Information and Privacy Commissioner.
The BORN Ontario data breach highlights the critical importance of robust data security measures, especially in healthcare, and the need for swift and transparent responses when breaches occur.