Bulletin 251002 — Electronic Business Services Security Update

The Ministry of Health is upgrading to a stronger encryption method for Electronic Business Services, Health Card Validation and Medical Claims Electronic Data Transfer.

To: OHIP Billing Software Vendors
Category: Billing Software Specifications
Written by: Claims Services Branch, Health Programs and Delivery Division
Date issued: October 8, 2025
Bulletin Number: 251002

Overview

To ensure the ongoing security of Electronic Business Services (EBS), Health Card Validation (HCV) and the Medical Claims Electronic Data Transfer (MCEDT), the Ministry of Health (ministry) is upgrading their encryption security. The HCV upgrade will be effective October 8, 2025. The MCEDT upgrade will be effective October 22, 2025. This Bulletin is intended to provide details on the upgrade and the procedures required by billing software vendors.

Upgrade details

The ministry is upgrading from an AES-128-CBC encryption algorithm to an AES-256-GCM encryption algorithm for MCEDT and HCV services via EBSE.

New header details

Clients must include the custom HTTP header X-EBS-Version with a value of 2 in their request messages.

Ministry response

When the header is included, the results object in the response is protected using the AES-256-GCM encryption algorithm, ensuring confidentiality, integrity, and authenticity. The encryption key is securely wrapped using RSA-OAEP padding.

Benefits

This security update enables clients to use stronger encryption, replacing the legacy AES-128-CBC method. Clients who omit this header will receive responses using the legacy encryption scheme.

Clients are encouraged to make the switch as soon as possible as the legacy encryption may no longer be supported in the future. Although it is not required, conformance testing will be available.

Clients who wish to enter conformance must:

• Complete the Vendor Application for Conformance Testing-Acceptable Use Policy form
• Send the completed form to SSContactCentre.MOH@ontario.ca

Conformance testing

All new or existing service users entering conformance must include the header with a value of 2, to ensure that the most current encryption type is used. The legacy encryption will no longer be permitted for use in conformance.

Resources

The following documents have been updated to include this security update.

• Technical Specification for Electronic Business Services
• Technical Specification for Medical Claims Electronic Data Transfer (MCEDT) Service via Electronic Business Services (EBS)
• Technical Specification for Health Card Validation (HCV) Service via Electronic Business Services (EBS)

Keywords/Tags

MCEDT; HCV; EBS; security upgrade; vendor; encryption

Contact information

Do you have questions about this INFOBulletin? Email the Service Support Contact Centre or call 1-800-262-6524. Hours of operation: 8:00 a.m. to 5:00 p.m. Eastern Monday to Friday, except holidays.