Data on 3.4 million Ontario mothers, newborns, and children collected over the past 10 years has been stolen from the MOVEit file transfer server of a provincially-funded birthing registry, the latest organization to admit it was victimized by a zero-day vulnerability in the tool.
The Better Outcomes Registry & Network Ontario, also known as BORN, said Monday that data in the copied files included personal health information collected from primarily Ontario fertility, pregnancy, and child health care providers.
These providers include hospitals, midwifery practice groups, Expanded Midwifery Care Models (EMCM), birthing centres, fertility clinics, prenatal and newborn screening laboratories, follow-up clinics, clinical programs, and primary care organizations — which regularly contribute critical health information to the BORN Ontario perinatal and child health registry. The data is used to improve the health of mothers and their babies.
As soon as the BORN release was issued, Toronto’s Hospital for Sick Children said patient data from there and sent to BORN was part of the theft.
Those affected
- gave birth or have a child born in Ontario between April 2010 and May 2023;
- received pregnancy care in Ontario between January 2012 and May 2023;
- had in-vitro fertilization or egg banking in Ontario between January 2013 and May 2023.
Of the 3.4 million persons, 1.4 million were individuals seeking prenatal or pregnancy care, while 1.9 million were newborns and children.
Data collected included names, addresses, postal codes, dates of birth, and persons’ health card number — although that number didn’t include a version code, which healthcare providers would need for charging for services.
Still, a name and date of birth could be used for impersonation or creating phony ID.
BORN said it’s no longer using MOVEit.
As a medical data collector, BORN has to follow rules set by Ontario’s Personal Health Information Protection Act (PHIPA). Section 13(1) says health organizations in the province have to appoint a health information custodian who shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred, and disposed of in a secure manner and in accordance with the prescribed requirements.
Brett Callow, a B.C.-based threat analyst for Emsisoft, wondered why BORN had 10 years’ worth of data available for theft. “Hopefully,” he said in an email, “that is something that will be explained. On the face of it, it would appear to be a bad practice which resulted in this incident affecting far more people than it should have.”
In reply to a query, BORN said the stolen data had been encrypted using MOVEit’s 256-bit AES encryption for data at both rest and in transit. However, the zero-day vulnerability used by the attacker (an SQL injection vulnerability) allowed them to get administrator privileges, bypassing second-factor login authentication. That gaves the attacker the abilty to decrypt the data.
As for the amount of data stolen, BORN says it was in process of being transferred for several purposes, including longitudinal outcomes analysis and linking to other registry data sources as well as sharing with authorized health system partners.
According to statistics gathered by Emsisoft, so far an estimated 2,089 organizations around the world have been identified as being directly or indirectly involved in hacks of Progress Software’s MOVEit file transfer applications. Of those, the BORN hack would rank as the sixth biggest. Emsisoft believes data on over 62 million individuals has been stolen in hacks of MOVEit servers.
The exact numbers are hard to nail down. Some organizations sent data to several data processors to be worked on for different reasons, and the same data could have been stolen several times from different processors. For example, Colorado State University had data stolen from the MOVEit servers the institution sent to six partners. One of the biggest single corporate victims is Pension Benefit Information LLC (known as PBI), used by many American organizations to regularly check government and corporate databases to verify if benefits are properly paid to beneficiaries. A number have publicly reported their data was stolen from PBI.
Emsisoft says its numbers come from U.S. state data breach notifications, filings to the U.S. Securities and Exchange Commission (SEC) filings, other public disclosures as well as Cl0p’s ransomware gang’s website of claimed corporate victims. Clop said in June it discovered and exploited a MOVEit vulnerability (CVE-2023-34362).
Some companies are still finalizing the number of victims. For example, in August, Data Media Associates, a U.S. firm that makes patient billing solutions for doctors and hospitals, told the Maine attorney general’s office it was notifying over 74,000 people their data was stolen when its MOVEit file transfer server was hacked. On Monday it updated that number to over 98,000 people.
In addition to BORN, among the latest victim firms is the Harris Center for Mental Health and IDD of Texas, which told the Maine attorney general’s office in the past few days it is notifying almost 600,000 people their personal data was stolen from a service provider used by the center.
It isn’t clear when the Cl0p gang began exfiltrating data. Progress Software alerted the world of the vulnerability on May 31. After that, organizations realized they’d been hacked. According to Huntress Labs, no significant exploitation occurred after May.
Finding vulnerabilities in file transfer applications is a specialty of Cl0p: It also found one in Fortra’s GoAnywhere MFT application. Researchers at Kroll LLC believe the gang was likely experimenting with ways to exploit the MOVEit vulnerability as far back as 2021. For some reason, it decided to first hit GoAnywhere servers in February, before exfiltrating data from MOVEit servers.