Health, personal data of 1 million New Zealanders exposed in series of intrusions

News by Teri Robinson

Medical and personal information of about one million people was exposed after a breach at a primary health organisation located in New Zealand

The medical and personal information of about one million people was exposed after a breach of Tu Ora Compass Health, a primary health organisation (PHO) located in New Zealand.

The non-governmental organization (NGO) discovered four intrusions – by what Ministry of Health Director-General of Health Ashley Bloomfield said were two hacktivists and two "more sophisticated actors" – on 5 August after its website was defaced.

The breach "illustrates how third-party healthcare cybersecurity remains a pressing problem throughout the world," said Elad Shapira, head of research at Panorays, who noted that Tu Ora connected to 60 different general practice teams and other health providers and, like other healthcare companies, collected "some of our most sensitive and confidential data: personal and demographic information, financial statements, health details and insurance policies" that attackers can use for identity theft, insurance fraud, financial gain and blackmail.

"Amassing hundreds of thousands of patient records in a single database increases the risk of compromising patient data should a breach occur," said Paul Edon, senior director (EMEA) at Tripwire.

Tu Ora has retained data on patients "dating back to 2002, from the greater Wellington, Wairarapa and Manawatu regions. Anyone who was enrolled with a medical center in that period could potentially be affected," a New Zealand Herald report cited a Tu Ora press security incident advisory as saying, noting that while the current population of those regions was around 648,000, the list of those affected included people who are deceased or who have moved, bringing the total to about 1 million.

"According to the data breach statement, 17 years’ worth of personal data was potentially accessed not once, but four times before detected," said Jonathan Deveaux, head of enterprise data protection at comforte AG. "Unfortunately, there did not seem to be protections placed on the data itself, which means the personal data was left in clear text form. It’s a good thing that no payment info, tax numbers, passport numbers, nor driver’s license numbers were on the server; otherwise, those data elements would have been exposed as well."

Securing patients’ data requires healthcare organizations to "go beyond simply being compliant with security frameworks and ensure that their environment is duly protected against unauthorized changes and misconfigurations which can make their environment susceptible to a cyberattack," said Edon. "Given the increased cyberattacks against healthcare organizations, it is simply no longer sufficient to be merely be compliant with security frameworks. When retaining this kind of data it is critical to choose an encryption solution that not only protects the database instances but also provides protection for data in transit and at rest."

The original version of this article was published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews