The Hospital for Sick Children, more commonly known as SickKids, is among healthcare providers that were impacted by the recent breach at BORN Ontario.
The top Canadian pediatric hospital disclosed that as a part of its operations, it shares personal health information with BORN Ontario “related to pregnancy, birth and newborn care.”
The BORN Ontario data breach that impacted 3.4 million people was caused by the exploitation of well-known zero-day vulnerability (CVE-2023-34362) in Progress MOVEIt Transfer software.
SickKids also hit by BORN Ontario breach
On Monday, September 25th, SickKids disclosed that it is “among the many Ontario healthcare providers” that share sensitive health information with BORN Ontario, a perinatal and child registry that collects, interprets, shares and protects critical data about pregnancy, birth and childhood in the province of Ontario.
Since BORN Ontario was a victim of a security incident that affected 3.4 million people, as BleepingComputer reported yesterday, SickKids warns that its patients and associates may also have been affected.
“We are among the many Ontario healthcare providers that share personal health information with BORN Ontario related to pregnancy, birth and newborn care – important healthcare encounters that can affect lifelong health,” states SickKids in its disclosure.
“BORN collects data from healthcare providers pursuant to the authority afforded to it in the Personal Health Information Protection Act (PHIPA). BORN Ontario uses this information to identify immediate care gaps affecting individuals, link information to appropriate care providers, perform health system quality assurance, and analyze data for emerging trends.”
Exposed data of those impacted by the BORN Ontario data breach included, at a minimum:
- Full name
- Home address
- Postal code
- Date of birth
- Health card number
Depending on the type of care received by BORN, the exposed data may also have included:
- Dates of service/care,
- Lab test results,
- Pregnancy risk factors,
- Type of birth,
- Procedures,
- Pregnancy and birth outcomes
BORN has created a web page with details about the impact the incident has on its patients and who is likely affected by the data theft.
Without revealing additional details about how many SickKids patients and associates were affected, the hospital also directed parties to visit BORN’s aforementioned webpage, to find out if they have been impacted.
It is worth noting, SickKids may not be the only hospital to be affected by the BORN Ontario security incident, and similar such disclosures may be forthcoming from other healthcare providers in the upcoming weeks.
December last year, SickKids was hit by the LockBit ransomware group, who later apologized—blaming the erroneous act of targeting a medical facility on an affiliate, and offered the hospital a “free decryptor.”