Cyber Incident Victim: Better Outcomes Registry & Network

On or around May 31, 2023, the Better Outcomes Registry & Network (BORN Ontario), the provincial perinatal, newborn, and child registry, was made aware of a cybersecurity incident. The breach was caused by a global vulnerability within the MOVEit secure file transfer software, an application supplied by the external vendor Progress Software. BORN Ontario used this software to perform secure file transfers with its authorized partners. This MOVEit vulnerability was being exploited by unauthorized malicious third-party actors on a global scale, affecting well over 2,500 organizations worldwide according to public reports and prompting advisories from government cybersecurity agencies including the Canadian Centre for Cyber Security.

Upon becoming aware of the incident late in the evening on May 31, BORN Ontario immediately initiated its response protocol. The organization worked with third-party cybersecurity experts to isolate the affected computer server and contain the threat. The specific system compromised was the MOVEit FTP Server used for secure file transfers; however, the core BORN Information System (BIS) was confirmed not to have been compromised. The investigation was launched to understand the full scope of the incident, and the relevant authorities were notified, including the Ontario Provincial Police and the Information and Privacy Commissioner (IPC) of Ontario.

The vulnerability in the MOVEit software allowed the threat actors to access and copy files from BORN’s systems. The in-depth forensic analysis determined that unauthorized copies of files containing personal health information were taken. The data copied was collected from a large network of mostly Ontario health care facilities and providers. This information pertained to fertility, pregnancy, newborn, and child health care offered between January 2010 and May 2023. The investigation ultimately revealed that the personal health information of approximately 3.4 million people was contained within the copied files. The affected individuals were mostly those seeking pregnancy care and newborns who were born in Ontario during that thirteen-year period.

As a direct consequence of the incident, the exploited MOVEit FTP Server was decommissioned and will remain offline indefinitely. The organization stated that the server would not be brought back online until changes to the file transfer protocol were thoroughly investigated and transfer operations were deemed safe to continue under an updated and more secure configuration. The core BORN Information System and other applications accessed from within it were confirmed to be back in full operation and were not affected by the security compromise.

BORN Ontario’s primary response actions focused on containment, investigation, and reinforcement of security. The organization emphasized that data privacy is paramount and stated it took additional measures to further strengthen its security controls to limit the potential for a similar incident occurring in the future. While attacks on third-party software were noted as being difficult to prevent, the reinforcement of security was a stated priority. Public communication was also a key component of the response. BORN posted a public notice on its website about the incident on May 31 and established a dedicated informational website, bornincident.ca, to help individuals determine if their data was affected. By September 25, 2023, the investigation was declared complete, allowing the organization to share information publicly with those affected.

The impact of the incident was significant due to the vast quantity and sensitive nature of the personal health information that was copied. The data breach involved information collected under the authority of the Personal Health Information Protection Act (PHIPA) and regulated by Ontario’s Information and Privacy Commissioner. Despite the scale of the data exfiltration, BORN Ontario reported that at the time of its public updates, there was no evidence that any of the copied data had been misused for fraudulent purposes. The organization continues to monitor the internet, including the dark web, for any activity related to the incident and has stated it has found no sign of BORN’s data being posted or offered for sale. As a precaution, the public was advised to be aware of potential phishing or scam attempts that often follow such incidents and was warned that BORN Ontario would never ask for highly sensitive information such as a driver's license, health card number, Social Insurance Number, or banking details. The final public guidance stated that there were no additional steps individuals needed to take.