New Zealand health NGO’s data breach could affect up to 1 million people

Best practice management software
(Image credit: Image Credit: Pixabay)

A primary health organization or PHO – NGOs which provide essential primary healthcare over in New Zealand – has just revealed a huge security breach which could potentially have exposed medical data pertaining to around 1 million people.

The PHO in question is Tū Ora Compass Health, which had its website defaced and notified the authorities in New Zealand of a cyber-attack on August 5, as Bleeping Computer reports.

The organization took its server offline as soon as it was aware security had been breached, and began an investigation, while strengthening its IT security.

That investigation uncovered previous cyber-attacks which dated all the way back to 2016, through to March 2019.

The statement from Tū Ora notes that the motives behind any of the attacks are unknown, and it’s unsure whether patient data was compromised or not, although it has no evidence that any such data was accessed.

The organization said: “We cannot say for certain whether or not the cyber-attacks resulted in any patient information being accessed. Experts say it is likely we will never know. However, we have to assume the worst and that is why we are informing people.”

So, that doesn’t sound too comforting, of course.

Tū Ora holds data on people in the greater Wellington, Wairarapa and Manawatu regions, with records dating back to 2002. Anybody enrolled with a medical center from that time onwards could possibly be affected by the breach.

The population in those areas actually totals 648,000 people, although the data held is actually on 1 million people when those who have moved away or are deceased are included.

However, the organization to clarify that it doesn’t hold GP notes, so details from any consultations with doctors are not at risk (neither does Tū Ora have any of the data contained in patient portals).

Patient data

The data that Tū Ora does hold includes the patient’s name and date of birth, ethnicity, National Health Index Number, and address, as well as which medical center they are enrolled at.

On top of that, there’s various miscellaneous information provided by medical centers, such as records of which children are due for immunization, and whether those over 65 have had a flu vaccine, for example.

In terms of strengthening its security, the organization has moved to a new platform, and is improving its antivirus and email scanning software, as well as establishing a Security Operations Center for real-time monitoring of threats.

Tū Ora noted: “We are also part way through a planned movement to more modern more secure infrastructure using Microsoft Azure. The new Tū Ora Microsoft Azure environment will be fully secured, with a defense in depth approach to protecting all our electronic assets.”

Paul Edon, senior director, technical sales and services at security firm Tripwire, commented: “Amassing hundreds of thousands of patient records in a single database increases the risk of compromising patient data should a breach occur. To ensure patients’ care and safety, healthcare organizations must ensure that their environment is duly protected against unauthorized changes and misconfigurations, which can make their environment susceptible to a cyber-attack.

“Given the increased cyber-attacks against healthcare organizations, it is simply no longer sufficient to be merely be compliant with security frameworks. When retaining this kind of data, it is critical to choose an encryption solution that not only protects the database instances, but also provide protection for data in transit and at rest.”

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).