Privacy watchdog probes breach at Toronto breast milk bank for fragile babies

Ontario's privacy watchdog is investigating a data breach at a breast milk bank that provides breast milk to medically fragile babies across the province.

The breach happened at the Rogers Hixon Ontario Human Milk Bank, according to the Office of the Information and Privacy Commissioner of Ontario. The milk bank is part of Sinai Health, a hospital system in Toronto.

The commissioner's office said in an email on Tuesday that Sinai Health told it about the breach on Feb. 10 and the office has opened a file.

However, Sinai Health said the data breach appears to have happened before that date.

In an email to CBC Toronto on Tuesday, Sinai Health said its vendor, Timeless Medical Systems, a third party service provider, informed the milk bank on Dec. 21, 2022 that it was having "service issues." At that point, the milk bank stopped uploading documents to its servers and asked for regular updates on the situation.

Then on Jan. 12, its vendor told Sinai Health that the service issues were related to a "cybersecurity event."

"Immediately upon notification of the cybersecurity event, we worked to ensure that our data was returned and safely restored. Affected milk bank donors have been identified, contacted and are being supported throughout the process," Jennifer Specht, spokesperson for Sinai Health, said in the email.

"We are taking this matter very seriously and we deeply regret the impact that this cybersecurity event has had on our milk donors," Specht added.

The statement goes on to say the vendor is offering support to impacted donors that includes a year of credit monitoring and information on identity theft precautions.

According to a letter from the milk bank to families, obtained by CBC News, an "unauthorized third party" accessed and took milk bank data from the vendor's cloud-based file storage that included personal health information of donors and "certain applicants."

That data included names, addresses, phone numbers, email addresses, birthdays, OHIP numbers, family lifestyle and medical history records, family doctor information, questionnaire responses and results of a screening blood test. The letter says Timeless Medical Systems provides a cloud-based, electronic data management system.

"We immediately took action, requesting a report on the details of the incident and the scope of the data impacted," the letter reads. "We requested and received assurances that TMS secured its environment by deploying continuous cloud monitoring, ensuring that no further unauthorized access could occur."

According to the letter, TMS told the milk bank that it reported the breach to the RCMP and U.S. law enforcement. It also said it has recovered the data.

The letter says the data management system is an "important" part of the donor screening process because it allows the milk bank to track and trace processes. These include donor screening and approval, receipt and pasteurization of donated milk and distribution of the pasteurized donor milk to hospitals.