MOVEit breach delivers bundle of 3.4 million baby records

Canada's Better Outcomes Registry & Network (BORN) fears a MOVEit breach allowed cybercriminals to copy 3.4 million people's childcare health records dating back more than a decade.

BORN, which collates and uses information on "pregnancy, birth, the newborn period and childhood to improve care," says it became aware of the incident on May 31 and notified relevant authorities, including the Ontario Provincial Police and the province's Information and Privacy Commissioner.

"During the breach, unauthorized copies of files containing personal health information were taken from BORN's systems," says the organization's incident notification page.

The perinatal and child registry collects data from healthcare providers, labs, and hospitals that provide pregnancy and child services. This information is then processed and packaged into chunks that healthcare providers and organizations can use to improve decision making.

"The personal health information that was copied was collected for a large network of mostly Ontario health care facilities and providers regarding fertility, pregnancy, newborn and child health care offered between January 2010 and May 2023," BORN said.

"An in-depth analysis revealed that the files copied during the breach contained personal health information of approximately 3.4 million people – mostly those seeking pregnancy care and newborns who were born in Ontario between January 2010 and may 2023."

The criminals used a vulnerability exposed in Progress Software's MOVEit file transfer platform to breach the registry, BORN confirmed. Upon discovery, BORN techies isolated the "affected computer server" to try to contain the threat and immediately stopped using MOVEit software.

• Clorox cleans up IT security breach that soaked its biz ops
• Medical files of 8M-plus people fall into hands of Clop via MOVEit mega-bug
• UK telco watchdog Ofcom, Minnesota Dept of Ed named as latest MOVEit victims
• British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack

More than 2,000 organizations have fallen foul of unpatched MOVEit installations, according to Emsisoft. More than 60 million individuals have been affected to date. "US-based organizations account for 88.8 percent of known victims, Germany-based 1.7 percent, Canada-based 4.7 percent, and UK-based 1 percent," said the security researcher in a blog published yesterday.

The issue began in May when Progress Software released an advisory and patch for a vulnerability that was then identified as CVE-2023-34362. It had a severity rating of 9.8 out of 10. Another patch was issued on June 9 for a vulnerability identified as CVE-2023-35036, then a third came out on June 15 for a vulnerability earmarked as CVE-2023-35708.

Ransomware crew Cl0p claimed responsibility for the attack on the MOVEit platform.

For those wondering if they're affected by the BORN incident, the answer is yes if your child was born in Ontario between April 2020 and May 2023; if you received pregnancy care in Ontario between January 2012 and May 2023; or if you had in-vitro fertilization or egg banking in Ontario between the start of 2013 and May 2023.

As such, the name, address, postal code, data of birth, and health card number of an individual and their child may have been included in the breach. The affected data does not include financial information, social insurance numbers, health card version, expiry or security codes or patient email addresses.

"At this time, there is no evidence that any of the data involved in this incident has been fraudulently misused. We continue to monitor the internet, including the dark web, for any activity related to this incident," BORN says on its website.

"While attacks on third-party software are difficult to prevent, we've taken additional measures to further strengthen our security controls to limit the potential of this type of incident happening again." ®