FAQ

BORN Ontario was impacted by a cybersecurity breach caused by a vulnerability in the file transfer software, Progress MOVEit. This incident has affected hundreds of organizations around the world that used the same application to securely transfer their data. We used this application to securely transfer data to authorized partners and to move data used for analysis. As a result of the MOVEit vulnerability, an unauthorized third party was able to access and copy certain files that were in BORN Ontario’s possession.  

BORN Ontario took immediate action to contain the threat after being informed about the breach by the software vendor, Progress Software. We started an investigation into the incident with cybersecurity experts and took our systems offline to check for suspicious activity. Relevant authorities were notified, including the Ontario Provincial Police (OPP) and the Information and Privacy Commissioner of Ontario (IPC).   

Our investigation into the breach confirmed that the copied files included personal health information of people who received prenatal or pregnancy care in Ontario between January 2012 and May 2023. The data also included records of newborns and children who were born, or received specific care, in Ontario.   

For more information on the type of data and affected date ranges, please see the “Am I Impacted?” tab. 

BORN Ontario learned of the breach on May 31, 2023. Within hours of learning of the breach, BORN Ontario took the affected server offline and engaged third-party cybersecurity experts to assist in the investigation. We also posted a public notice on our website in order to raise awareness about the incident.

BORN Ontario posted information about the incident on its website on June 7, 2023, and promised to update the public as soon as we had more information. 

This incident is complex and required a full review of the affected files, which took many weeks to complete. The investigation and review were necessary to provide you with accurate and complete information. We’ve worked hard to notify affected individuals as soon as possible.  

Upon becoming aware of the incident on May 31, 2023, BORN notified the Ontario Provincial Police on June 1, 2023. The Information and Privacy Commissioner of Ontario was notified on June 5, 2023. Other key stakeholders and government officials were notified on June 6, 2023. We posted a public notice on our website on June 7, 2023.  

Our investigation has determined that approximately 3.4 million individuals, including pregnant individuals, babies and children had their information affected by this incident. 

There’s no evidence to suggest that any of the data involved in this incident has been misused for any fraudulent purposes.

Who does BORN collect my data from?

BORN Ontario is funded by the Ministry of Health to collect, analyze, and share data from health care organizations including hospitals, midwifery practice groups, fertility clinics and labs. BORN links and analyzes data before packaging it into information that healthcare providers use to improve care and guide decision making. The results are a better healthcare system providing improved healthcare experiences for you and your children. Like all prescribed health registries, the Information and Privacy Commissioner of Ontario reviews our policies and procedures every three years to ensure they are compliant. BORN collects data from healthcare providers pursuant to the authority afforded to it in the Personal Health Information Protection Act (PHIPA).

Registries play a vital role in gathering, using, and sharing clinical care information. Personal health information is collected from networks of providers to improve healthcare experiences for you and your children. Province-wide data collection helps ensure that health quality efforts, and the detection of specific missed care opportunities and health outcomes are equally captured and do not hide health inequities. 

Is my/my child’s identity included? How and why?

The identity of the child and pregnant individual are collected at time of birth and when services are provided.   

Identity is used to support patient care by informing care providers of care gaps, for example, missed health screening, and to ensure that records received from multiple sources can be linked accurately. It is extremely important for health quality measurement that providers be able to accurately identify who is receiving care and their health status.  

Has the information that was taken been misused/posted publicly?

At this time, there is no evidence to suggest that any of the data involved in this incident has been misused for any fraudulent purposes or posted publicly. We will continue to monitor the dark web for any activity related to this incident. If we become aware of any future misuse of the information, we will provide an update on our website.  

It is important to always remain vigilant in protecting your information by monitoring your online accounts, creating and maintaining strong, unique passwords for your online accounts, and reporting any unusual activity to the police and service providers.  

BORN Ontario will never contact you by email, text, or phone requesting any sensitive personal information.  

How can I find out what specific information of mine was accessed?

Unfortunately, due to the complex nature of the incident, we are not able to provide a personalized breakdown of your specific information affected. We deeply apologize for this incident. While attacks on third-party software are difficult to prevent, we have taken measures to further strengthen our security controls to limit the potential for this type of incident to happen again. For more information on the types of data affected based on the type of care you received, please see the “Am I Impacted” tab on our website. You do not need to take any additional steps. 

Why didn’t I receive a letter in the mail or a phone call that indicates that I was affected by this privacy breach?

Fertility, pregnancy, and newborn care is sensitive information. There is no evidence that the information copied in this breach has been misused for any fraudulent purpose or made public. BORN Ontario is maintaining the privacy and identity of those impacted and is not creating any written material that links people to their history of fertility treatment, childbirth, or pregnancy. This website offers information to notify you of the incident and help you determine if you or a family member were impacted.  

I’ve read the questions and I still am not sure if I’m impacted.

Please refer to the “Am I Impacted” tab on our website. You can also call our bilingual (English or French) hotline at 1 833 622 1361 available Monday-Friday 9 AM to 5 PM. Due to the complexity of this incident, we are not able to provide any personal details about the information involved. 

Does BORN collect from data providers outside of Ontario? 

As a prescribed Registry in Ontario, BORN does not collect personal health information from Health Information Custodians located outside of Ontario. 

However, to provide quality-advancing information about fertility care quality and outcomes, progress year over year, and to provide Canadian data to compare with other jurisdictions internationally, de-identified data are collected from fertility clinics across Canada.  

Data from IVF clinics outside of Ontario, reflecting only in-vitro fertilization or egg banking treatments from January 2013 through May 2023, were impacted in this incident.   

These data do not include: 

• Names 
• Addresses 
• Postal codes 

• Phone numbers 
• Health card numbers 
• Patient emails 

IVF clinic names are also not identified in the affected data.  Under the authority given to us by Ontario’s Personal Health Information and Protection Act, BORN collects identifiers from Ontario-based clinics. This allows us to link those records to pregnancy, birth and child health data, providing richer analysis and information for Ontario about the outcomes experienced by patients who use, and pregnancies that result from, fertility enhancing technology. This information informs policy and care decision-making.

I’m worried about my health card being used fraudulently.

BORN Ontario does not collect health card version codes, making it difficult for the information that was copied in the breach to be used to commit health card fraud. 

However, if you suspect misuse of your health card number you can report suspected fraud by calling the Ministry of Health at 1-888-781-5556 or e-mail at [email protected].

To find out more about replacing lost or stolen OHIP cards visit: Replace, cancel or change information on your health card | ontario.ca

What are the risks now?

At this time, there is no evidence to suggest that any of the data involved in this incident has been misused for any fraudulent purpose or made publicly available. Even though the personal health information contained in the registry is sensitive, BORN Ontario does not collect any personal financial information or the type of information that would typically be used to steal your identity.

Is there a risk of identity theft?

We have consulted with industry experts, including the Ontario Provincial Police Cybercrime Investigations Team, and determined the risk of identity theft to be extremely low. This is because the affected data does not include any banking or financial information such as credit card numbers, social insurance numbers, health card version, expiry or security codes, or patient email addresses. It is always important to remain vigilant and protect your information by monitoring your accounts and reporting any unusual activity to the police and relevant service providers. BORN Ontario will never contact you by email, text, or phone requesting any sensitive personal information. 

How can I contact the Information and Privacy Commissioner of Ontario? 

To make a complaint about the incident to the Information and Privacy Commissioner (IPC) of Ontario, visit the IPC website. If you have specific questions about the breach, refer to the “Am I Impacted?” tab on our website or call our hotline at 1 833 622 1361 available Monday-Friday 9 AM to 5 PM. Due to the complexity of this incident, we are not able to provide any personal details about the information involved.  

What are you doing to make sure this doesn’t happen again?

Data privacy is paramount to everything we do at BORN Ontario. Since discovering this incident, we’ve been working with cybersecurity experts to understand the full scope of the incident and to ensure our systems are and remain safe. At this time, there is no evidence that any of the data copied has been misused for any fraudulent purpose. We continue to monitor the dark web for any activity related to this incident, including BORN’s data being posted or offered for sale. We’ve detected no sign of that thus far. Additionally, the affected software is no longer in use.

My baby was born at home, is our data affected?

Yes, it could be. Information collected from providers and organizations involved in pregnancy, birth, and delivery including registered midwives who may have supported your birth at home. For more information on the type of data affected, please see the “Am I Impacted” tab.

Were routine prenatal care appointments with my practitioner (Ob-gyn, family doctor, midwife, nurse practitioner, etc.) and specialist appointments (medical genetics, maternal-fetal-medicine specialist) included?

A selection of data from pregnancy records collected by care practitioners during these visits may have been collected by BORN prior to birth, and/or at the time of labour and birth (e.g., demographics, medical history, lab test results, pregnancy history, diagnostic and screening results like Group-B strep and gestational diabetes tests). 

What specific type of lab test results were included?

The following are the most common types of lab test results that were included:

• Prenatal genetic screening:  Approximately 70% of pregnant individuals in Ontario receive prenatal genetic testing.  These blood tests, some performed in combination with ultrasound, detect chromosomal abnormalities in the unborn child including Trisomy 21 (Down syndrome), 18 and 13. Other more rare prenatal genetic testing results used to detect other chromosomal abnormalities were also included in the affected data.

• Group-B Strep screening test results: A common test performed on a pregnant person before birth to screen for a bacterium that can cause significant harm to a newborn.
• Gestational Diabetes test results: Data would indicate if the individual was diagnosed with gestational diabetes. 
• Newborn screening test results: These critical tests are done shortly after birth to look for treatable diseases that usually show no symptoms in the newborn period. Early detection of these diseases through newborn screening prevents serious health problems and can save lives. 

Please visit the “Am I Impacted” tab on our website to find out more information about the type of information and the date ranges of collection of the affected data.