Incident Of The Week: New Zealand’s Tū Ora Compass Health Discloses Security Breach Of 1 Million Records

Unpatched Web Servers Led To Four Separate Attacks On Primary Health Organization

Jeff Orr

NZ Healthcare Breach

A New Zealand primary health organization (PHO) has disclosed that its systems were breached leading to approximately 1 million medical and personally identifiable information (PII) records compromised. Tū Ora Compass Health is a non-governmental organization (NGO) that connects citizens with its general practitioner (GP) network. Tū Ora services the Wellington, Kāpiti, and Wairarapa regions in the south of New Zealand’s North Island.

While the PHO does not hold medical notes from the GP network and executives say there are no network paths upstream to the GPs, the PHO does maintain enrollment details and national health ID numbers issued to citizens in addition to providing care services for diabetes among other afflictions.

See Related: Top 8 Industries Reporting Data Breaches In The First Half Of 2019

Executives for the organization say they do not know if the exposed data was accessed and to what extent. The exposed records, which date back to 2002, exceed the current population of the region due to previous patients either passing away or moving out of the service area. Tū Ora also supports another PHO for the Manawatu area called THINK Hauora, which may have also been impacted by this attack.

The attack was discovered on August 5 when the organization’s website was defaced. It took its systems offline and notified law enforcement including voluntary reporting to the Office of the Privacy Commissioner in early September. An unnamed source close to the situation reported that administrative privileges were also compromised in the attack, according to New Zealand’s Stuff Limited.

Four separate attacks have been recognized. Two of those attacks are classified as “hacktivists”. In addition, vulnerability testing performed after the breach notification identified additional areas of concern that have since been remediated. Regular auditing and/or monitoring of security and privacy for PHO and agency websites will be implemented.

The Ministry of Health acknowledged that an illegal cyber intrusion had occurred to the PHO’s systems and broadcast a livestream briefing. The National Health Coordination Centre is coordinating the health system’s national response to the incident, working with PHOs. The two months between the website defacing and the public notification consisted of a national cyber defense investigation, auditing of other websites to determine if this was an isolated incident, and putting in place the systems and services to support those affected by the data breach.

Systems have been put in place to support people whose information might have been affected. An immediate response was initiated while strengthening information systems against further unauthorized access, working with PHOs, district health boards and other Government agencies. Agencies and organizations involved may also undertake an independent audit to ensure transparency and assess risk to reduce or eliminate this type of intrusion in the future.

Timely patching and updating of software are necessary to avoid this type of vulnerability, say New Zealand security and privacy officials. Tū Ora had every intention of patching its systems, but had not performed the update when the attack occurred.

See Related: Patching And The Basics