Data on 3.4 million mothers, children stolen from Ontario registry

Data on 3.4 million Ontario mothers, newborns, and children collected over the past 10 years has been stolen from the MOVEit file transfer server of a provincially-funded birthing registry, the latest organization to admit it was victimized by a zero-day vulnerability in the tool.

The Better Outcomes Registry & Network Ontario, also known as BORN, said Monday that data in the copied files included personal health information collected from primarily Ontario fertility, pregnancy, and child health care providers.

These providers include hospitals, midwifery practice groups, Expanded Midwifery Care Models (EMCM), birthing centres, fertility clinics, prenatal and newborn screening laboratories, follow-up clinics, clinical programs, and primary care organizations — which regularly contribute critical health information to the BORN Ontario perinatal and child health registry. The data is used to improve the health of mothers and their babies.

As soon as the BORN release was issued, Toronto’s Hospital for Sick Children said patient data from there and sent to BORN was part of the theft.

Those affected

  • gave birth or have a child born in Ontario between April 2010 and May 2023;
  • received pregnancy care in Ontario between January 2012 and May 2023;
  • had in-vitro fertilization or egg banking in Ontario between January 2013 and May 2023.

Of the 3.4 million persons, 1.4 million were individuals seeking prenatal or pregnancy care, while 1.9 million were newborns and children.

Data collected included names, addresses, postal codes, dates of birth, and persons’ health card number — although that number didn’t include a version code, which healthcare providers would need for charging for services.

Still, a name and date of birth could be used for impersonation or creating phony ID.

BORN said it’s no longer using MOVEit.

As a medical data collector, BORN has to follow rules set by Ontario’s Personal Health Information Protection Act (PHIPA). Section 13(1) says health organizations in the province have to appoint a health information custodian who shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred, and disposed of in a secure manner and in accordance with the prescribed requirements.

Brett Callow, a B.C.-based threat analyst for Emsisoft, wondered why BORN had 10 years’ worth of data available for theft. “Hopefully,” he said in an email, “that is something that will be explained. On the face of it, it would appear to be a bad practice which resulted in this incident affecting far more people than it should have.”

In reply to a query, BORN said the stolen data had been encrypted using MOVEit’s 256-bit AES encryption for data at both rest and in transit. However, the zero-day vulnerability used by the attacker (an SQL injection vulnerability) allowed them to get administrator privileges, bypassing second-factor login authentication. That gaves the attacker the abilty to decrypt the data.

As for the amount of data stolen, BORN says it was in process of being transferred for several purposes, including longitudinal outcomes analysis and linking to other registry data sources as well as sharing with authorized health system partners.

According to statistics gathered by Emsisoft, so far an estimated 2,089 organizations around the world have been identified as being directly or indirectly involved in hacks of Progress Software’s MOVEit file transfer applications. Of those, the BORN hack would rank as the sixth biggest. Emsisoft believes data on over 62 million individuals has been stolen in hacks of MOVEit servers.

The exact numbers are hard to nail down. Some organizations sent data to several data processors to be worked on for different reasons, and the same data could have been stolen several times from different processors. For example, Colorado State University had data stolen from the MOVEit servers the institution sent to six partners. One of the biggest single corporate victims is Pension Benefit Information LLC (known as PBI), used by many American organizations to regularly check government and corporate databases to verify if benefits are properly paid to beneficiaries. A number have publicly reported their data was stolen from PBI.

Emsisoft says its numbers come from U.S. state data breach notifications, filings to the U.S. Securities and Exchange Commission (SEC) filings, other public disclosures as well as Cl0p’s ransomware gang’s website of claimed corporate victims. Clop said in June it discovered and exploited a MOVEit vulnerability (CVE-2023-34362).

Some companies are still finalizing the number of victims. For example, in August, Data Media Associates, a U.S. firm that makes patient billing solutions for doctors and hospitals, told the Maine attorney general’s office it was notifying over 74,000 people their data was stolen when its MOVEit file transfer server was hacked. On Monday it updated that number to over 98,000 people.

In addition to BORN, among the latest victim firms is the Harris Center for Mental Health and IDD of Texas, which told the Maine attorney general’s office in the past few days it is notifying almost 600,000 people their personal data was stolen from a service provider used by the center.

It isn’t clear when the Cl0p gang began exfiltrating data. Progress Software alerted the world of the vulnerability on May 31. After that, organizations realized they’d been hacked. According to Huntress Labs, no significant exploitation occurred after May.

Finding vulnerabilities in file transfer applications is a specialty of Cl0p: It also found one in Fortra’s GoAnywhere MFT application. Researchers at Kroll LLC believe the gang was likely experimenting with ways to exploit the MOVEit vulnerability as far back as 2021. For some reason, it decided to first hit GoAnywhere servers in February, before exfiltrating data from MOVEit servers.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now