Up to 1 million New Zealanders hit by health NGO’s data breach

Medical records compromised - new zealand NGO.jpg

Tu Ora Compass Health has been hit by cyber-attacks dating back to 2016,

A New Zealand primary health organization that provides essential healthcare has revealed a huge security breach, which may have exposed medical records concerning up to 1 million people.

Tū Ora Compass Health, which had its website defaced, took its server offline and notified the authorities of the cyber-attack on August 5, according to Bleeping Computer.

The organization immediately took its server offline and began an investigation, while strengthening its IT security. The investigation uncovered previous cyber-attacks which dated back to 2016, through to March 2019.

In a statement, Tū Ora said the motives behind the attacks are unknown, and it is unsure whether patient data was compromised, although so far there is no evidence that such data was accessed:

We cannot say for certain whether or not the cyber-attacks resulted in any patient information being accessed. Experts say it is likely we will never know. However, we have to assume the worst and that is why we are informing people.

Tū Ora holds data on people in the greater Wellington, Wairarapa and Manawatu regions, with records dating back to 2002. Anyone enrolled with a medical center from that time onwards could possibly be affected by the breach.

The population in those areas actually totals 648,000 people, although the data held is actually on 1 million people when those who have moved away or are deceased are included.

However, the organization to clarify that it doesn’t hold GP notes, so details from any consultations with doctors are not at risk (neither does Tū Ora have any of the data contained in patient portals).

Patient records

The data that Tū Ora does hold includes the patient’s name and date of birth, ethnicity, National Health Index Number, and address, as well as which medical center they are enrolled at.

On top of that, there’s various miscellaneous information provided by medical centers, such as records of which children are due for immunization, and whether those over 65 have had a flu vaccine, for example.

In terms of strengthening its security, the organization has moved to a new platform, and is improving its antivirus and email scanning software, as well as establishing a Security Operations Center for real-time monitoring of threats.

Tū Ora noted: “We are also part way through a planned movement to more modern more secure infrastructure using Microsoft Azure. The new Tū Ora Microsoft Azure environment will be fully secured, with a defense in depth approach to protecting all our electronic assets.”

Paul Edon, senior directo of technical sales and services at security firm Tripwire, commented:

“Amassing hundreds of thousands of patient records in a single database increases the risk of compromising patient data should a breach occur. To ensure patients’ care and safety, healthcare organizations must ensure that their environment is duly protected against unauthorized changes and misconfigurations, which can make their environment susceptible to a cyber-attack.

Mr Edon added:

Given the increased cyber-attacks against healthcare organizations, it is simply no longer sufficient to be merely be compliant with security frameworks. When retaining this kind of data, it is critical to choose an encryption solution that not only protects the database instances, but also provide protection for data in transit and at rest.

Source: Tech Radar

If you liked this post, check out our Premium Privacy Insights for informative articles on wide-ranging global data privacy issues.

Peter BornerComment