Malware
SickKids Devastated by Massive BORN Ontario Data Breach Affecting 3.4 Million Individuals
SickKids, a renowned children’s hospital, falls victim to a massive data breach that compromised 3.4 million records from the Born Ontario database. Personal information of patients, including names, birthdates, and health card numbers, were exposed. This alarming incident highlights the urgent need for robust cybersecurity measures in the healthcare sector to protect sensitive data and ensure patient privacy.
SickKids Affected by BORN Ontario Data Breach
The Hospital for Sick Children, also known as SickKids, is one of the healthcare providers impacted by the recent breach at BORN Ontario.
As part of its operations, SickKids shares personal health information with BORN Ontario, specifically related to pregnancy, birth, and newborn care.
The BORN Ontario data breach, which affected 3.4 million individuals, was caused by the exploitation of a well-known zero-day vulnerability (CVE-2023-34362) in Progress MOVEIt Transfer software.
Impact on SickKids
SickKids disclosed on September 25th that it is among the many Ontario healthcare providers that share sensitive health information with BORN Ontario. BORN Ontario is a perinatal and child registry that collects, interprets, shares, and protects critical data about pregnancy, birth, and childhood in the province of Ontario.
Since BORN Ontario was a victim of a security incident that affected 3.4 million people, SickKids warns that its patients and associates may also have been affected.
“We are among the many Ontario healthcare providers that share personal health information with BORN Ontario related to pregnancy, birth, and newborn care – important healthcare encounters that can affect lifelong health,” states SickKids in its disclosure.
BORN Ontario collects data from healthcare providers under the authority of the Personal Health Information Protection Act (PHIPA). The collected information is used to identify immediate care gaps, link information to appropriate care providers, perform health system quality assurance, and analyze data for emerging trends.
The exposed data from the BORN Ontario data breach included at least the following:
- Full name
- Home address
- Postal code
- Date of birth
- Health card number
Depending on the type of care received by BORN, the exposed data may have also included:
- Dates of service/care
- Lab test results
- Pregnancy risk factors
- Type of birth
- Procedures
- Pregnancy and birth outcomes
BORN has created a web page with details about the impact of the incident on its patients and who is likely affected by the data theft. You can find more information on BORN’s webpage.
SickKids, without providing specific details on the number of affected patients and associates, directs individuals to visit BORN’s webpage to determine if they have been impacted.
It is important to note that SickKids may not be the only hospital affected by the BORN Ontario security incident, and other healthcare providers may release similar disclosures in the coming weeks.
Last December, SickKids fell victim to the LockBit ransomware group. The group later apologized and blamed the mistaken targeting of a medical facility on an affiliate. They offered SickKids a “free decryptor” as compensation.