Primary health organization (PHO) Tū Ora Compass Health from New Zealand disclosed a security breach that led to the exposure of medical and personally identifiable information (PII) of roughly 1 million people.
PHOs are non-governmental organizations (NGOs) designed to provide support to the provision of fundamental primary health care services, mostly via general practices, to enrolled people.
The NGO notified the National Cyber Security Centre, Ministry of Health, Police, and other law enforcement agencies of the incident after its discovery on August 5 following the Tū Ora website’s defacement. TOP ARTICLES2/5READ MORETwitter Apologizes for Using Your Phone Number for Advertising
Roughly 1 million people affected
“Tū Ora holds data on individuals dating back to 2002, from the greater Wellington, Wairarapa, and Manawatu regions. Anyone who was enrolled with a medical center in that period could potentially be affected,” says Tū Ora’s press security incident advisory.
“The current population of these areas is around 648,000 people, but including those now deceased or who have moved away from the area, the data covers nearly 1 million people.”
Tū Ora Compass Health is one of 30 Primary Health Organizations (PHO) in New Zealand. One of the roles of a PHO is to collect and analyze general practice data. Medical centers provide PHOs like Tū Ora Compass Health some limited patient data e.g. details of all those who have had immunizations. [..] Tū Ora also delivers some clinical services such as podiatry, mental health, and diabetes care. Patient information collected as part of delivering these clinical services is contained within the Tū Ora IT systems.
Following the attack, Tū Ora took down the affected servers and started an investigation which led to the discovery of other previously undetected intrusions going back to 2016.
Ashley Bloomfield, Ministry of Health Director-General of Health, said in a press conference that “there have been four intrusions by different actors. Two of those would be described as ‘hacktivists’ and two of them by more sophisticated actors and that’s the extent of the information we have.”
“The unauthorized access has now been identified as affecting, to a greater or lesser degree, five lower North Island-based primary health organizations that have a relationship with Tū Ora,” Bloomfield added.
Exposed patient data
While the NGO doesn’t know for sure that patient information has been accessed as part of these security incidents, the possibility still exists given that the threat actors behind them had access to all the stored data.
“We hold data that includes, who is enrolled at which medical center, their National Health Index Number, name, date of birth, ethnicity, and address,” says Tū Ora’s advisory.
“We also hold some medical information provided by medical centers to us that we analyze and provide back to the medical centers to support timely quality care. [..] We also hold some organizational financial data for the practices and other health care providers that we work with e.g. invoices and account details, that enable us to pay for services delivered.”
“For some people, Tū Ora also holds additional clinical information used for health promotion, such as smoking status, for managing chronic conditions like diabetes, or to deliver services,” adds the Ministry of Health.
Luckily, the breached server did not store banking, credit card, or financial info, nor did it store passport numbers, tax numbers, or driver licenses numbers.
In response to the recently discovered security breaches, Tū Ora says that it will be moving its websites to the Microsoft Azure platform and that it will be using the Microsoft 365 suite’s Advanced Threat Protection, device and application protection, data loss protection, and full data encryption features.