Canadian Pregnancy and Newborn Care Agency Reports 3.4 Million-Record MOVEit Data Breach

BORN (Better Outcomes Registry & Network) in Canada has recently confirmed that the personal and health information of 3.4 million patients was stolen by the Clop ransomware group in an attack that exploited a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer file transfer solution in late May 2023.

BORN is a Ministry of Health-funded agency that collects data on pregnancies and births in Ontario and used the MOVEit Transfer solution to transfer data to its care and research partners. After exploiting the vulnerability, the Clop hackers exfiltrated files that contained the data of 1.4 million patients who had sought pregnancy care through BORN and the data of 1.9 million newborn babies in Ontario. Individuals who had their information stolen had given birth to a child between April 2010 and May 2023, received pregnancy care from BORN between January 2012 and May 2023, or used the IVF or egg banking services between January 2023 and May 2023.

While a patch was released to fix the vulnerability, BORN said it has taken the decision to discontinue using the software and has taken additional steps to improve data security. BORN has also engaged a vendor to monitor the dark web for any release of the stolen data, which includes names, addresses, postal codes, birth dates, healthcare numbers, dates of service, lab test results, procedures, pregnancy risk factors, and birth outcomes.

The mass exploitation of the vulnerability allowed the Clop group to steal the records of more than 60 million individuals from at least 2,040 organizations worldwide and the totals are continuing to increase. After stealing data, Clop issued ransom demands, payment of which was required to prevent the release of the stolen data. It is unclear if BORN received a ransom demand and if it was paid.

While a data breach of 3.4 million health records is considerable, it is not the largest MOVEit health data breach reported so far. The government services contracting company, Maximus, said the protected health information of 11 million individuals was stolen by the Clop gang in the attacks.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of