Better Outcomes Registry & Network. Le Registre et réseau des bons résultats dès la naissance

MOVEit Cybersecurity Incident

Incident Summary

  • BORN (the Better Outcomes Registry & Network) was impacted by a cybersecurity breach caused by a global vulnerability of the software we use, Progress MOVEit, to perform secure file transfers.   
  • During the breach, unauthorized copies of files containing personal health information were taken from BORN’s systems.  
  • The personal health information that was copied was collected from a large network of mostly Ontario health care facilities and providers regarding fertility, pregnancy, newborn and child health care offered between January 2010 and May 2023.
  • After becoming aware of the incident on May 31, 2023, BORN posted a public notice on our website about the incident and notified relevant authorities, including the Ontario Provincial Police and the Information and Privacy Commissioner (IPC) of Ontario.
  • An in-depth analysis revealed that the files copied during the breach contained personal health information of approximately 3.4 million people – mostly those seeking pregnancy care and newborns who were born in Ontario between January 2010 and May 2023. 
  • Data privacy is paramount to everything we do at BORN. We began working with cybersecurity experts immediately to isolate the affected computer server, contain the threat, investigate the full scope of the incident, and to ensure our systems were safe to continue our operations. While attacks on third-party software are difficult to prevent, we’ve taken additional measures to further strengthen our security controls to limit the potential for this type of incident happening again. 
  • At this time, there is no evidence that any of the copied data has been misused for any fraudulent purposes. We continue to monitor the internet, including the dark web, for any activity related to this incident and have found no sign of BORN’s data being posted or offered for sale.  
  • There are no additional steps you need to take.

The information this website offers will help you determine if your data was affected. Please read on for more information. 

About BORN

BORN collects and uses information about pregnancy, birth, the newborn period and childhood to help improve care. We know that a person’s general health, the care they receive and the outcomes during their pregnancy, birth, and early childhood are important to lifelong health. We collect data from healthcare providers, labs, and hospitals who offer pregnancy and child health care, and process this data before packaging it into information that healthcare providers and organizations can use to guide care and improve decision making. The results are a better healthcare system providing improved healthcare experiences for you and your children. BORN’s data collection and use is approved by law, regulated by Ontario’s Information and Privacy Commissioner, and funded by the Ontario Ministry of Health. BORN collects data from healthcare providers pursuant to the authority afforded to it in the Personal Health Information Protection Act (PHIPA).    

We want Ontario to be one of the safest places in the world to have a baby and to inform the best possible beginnings for lifelong health.

What Happened?

During the breach, unauthorized copies of files with personal health information were copied from BORN’s systems. The personal health information that was impacted in the breach was collected from a large network of mostly Ontario health care facilities and providers regarding fertility, pregnancy, newborn and child health care offered between January 2010 and May 2023.  

Am I Affected?

  • Did you give birth or was your child born in Ontario between April 2010 and May 2023?
  • Did you receive pregnancy care in Ontario between January 2012 and May 2023?
  • Did you have in-vitro fertilization or egg banking in Ontario between January 2013 and May 2023?

If you answered YES to any of the questions above, the following personal information of yours, or your child, may have been included in the privacy breach:  

  • Name
  • Address
  • Postal code
  • Date of birth
  • Health card number (with no version code)

The affected data does not include any banking or financial information such as credit card numbers, social insurance numbers, health card version, expiry or security codes, or patient email addresses.

Depending on the type of care you received, the following clinical information was also included in the breach:

  • Dates of service/care,
  • Lab test results,
  • Pregnancy risk factors,
  • Type of birth,
  • Procedures,
  • Pregnancy and birth outcomes (e.g., live birth, still birth, complications, diagnoses) associated with episodes of care you or your child may have received.

If you answered “no” to all the questions above, there is still a very small chance that your child’s information was impacted by this incident if they received certain types of care between January 2010 and May 2023. Please refer to the “Am I Impacted” tab for a list of care types and providers/facilities that shared data impacted by this incident.

In total, files included the personal health information of approximately 3.4 million people: 1.4 million individuals seeking prenatal or pregnancy care and 1.9 million newborns and children. For more information on the categories of care episodes affected and affected date ranges, please see the “Am I Impacted” tab.

At this time, there is no evidence to suggest that any of the data involved in this incident has been misused.

What is BORN doing?

Data privacy is paramount to everything we do at BORN. We began working with cybersecurity experts immediately after discovering the breach to isolate the affected computer server, contain the threat, investigate the full scope of the incident, and to ensure our systems were safe to continue our operations. We immediately stopped using the MOVEit software that allowed the breach to occur. The BORN registry continues to be functional and safe. 

We have notified the Information and Privacy Commissioner of Ontario (IPC) and are using the information provided on this website to provide you with detailed information about this incident.

At this time, there is no evidence that any of the data involved in this incident has been fraudulently misused. We continue to monitor the internet, including the dark web, for any activity related to this incident. If we become aware of any future misuse of the information, we will provide an update on our website. While attacks on third-party software are difficult to prevent, we’ve taken additional measures to further strengthen our security controls to limit the potential of this type of incident happening again.

What do I do now?

There are no additional steps you need to take.

We have consulted with industry experts, including the Ontario Provincial Police Cybercrimes Investigations team, and determined the type of information copied has a minimal risk of encouraging identity theft or fraud. 

It is important to always remain vigilant in protecting your information by monitoring your online accounts and reporting any unusual activity to the police and service providers.

BORN will never contact you by email, text, or phone requesting any sensitive personal information.

We deeply apologize for this incident. Should you have additional inquiries, please visit the FAQ portion of this page or call our hotline at 1 833 622 1361; available Monday-Friday 9 AM to 5 PM. Due to the complexity of this incident, we are not able to provide any personal details about the information involved.

While we have reported the incident to the Information and Privacy Commissioner of Ontario (IPC) and they are reviewing the matter, you also have a right to make a complaint to the IPC.