Tū Ora Compass Health data breach exposes medical data of one million people

The health organization has admitted its failure in safeguarding user data.
Written by Charlie Osborne, Contributing Writer

Tū Ora Compass Health has revealed a data breach resulting in the potential exposure of sensitive medical information belonging to one million individuals. 

The primary health organization (PHO), formerly known as the Greater Wellington Health Trust, provides healthcare services when contracted by entities including GPs and community groups. Compass Health, in its present-day state, is the result of a merger of four PHOs -- Capital PHO, Tumai Mo Te Iwi, Kapiti PHO, and Wairarapa PHO. 

On October 5, the PHO said its website was defaced during a cyber incident that occurred in August. The public compromise of the website led to an investigation into Compass Health's overall IT systems and security posture, leading to the discovery of cyberattacks dating back from 2016 to March 2019. 

Compass Health says it holds information on users as far back as 2002 from the greater Wellington, Wairarapa and Manawatu regions in New Zealand. Anyone registered with a medical center during the 2016 - 2019 timeframe may be impacted. 

See also: Hey Google: What we search for most in cybersecurity .. cyber security?

"The current population of these areas is around 648,000 people, but including those now deceased, or, who have moved away from the area, the data covers nearly one million people," the organization says.

The organization says it holds data including who is registered at what medical center, National Health Index Numbers, names, dates of birth, ethnicity, and addresses. 

PHOs collect and analyze primary health data on long-term conditions, demographics, immunization records, diabetes checks, cervical screening logs, and flu shot records for those over 65 years of age.

"We also hold some organizational financial data for the practices and other health care providers that we work with e.g. invoices and account details, that enable us to pay for services delivered," the PHO added.

CNET: US negotiates sharing electronic evidence internationally

Compass Health said that no GP notes are stored and therefore should be safe. No banking, financial account data, passport numbers, driver license numbers, or, tax numbers belonging to patients have been involved in the security breach. 

The PHO added that it "cannot say for certain" whether or not patient information was stolen but it is necessary to "assume the worst."

After filing a complaint with law enforcement, the PHO has begun to work with the National Cyber Security Centre and the Ministry of Health to investigate how the cyberattacks were able to take place. 

TechRepublic: Shifting allegiances of hackers causing confusion for defense efforts

"We are devastated that we weren't able to keep people's information safe," said Martin Hefford, CEO of Compass Health. "While this was illegal and the work of cybercriminals, it was our responsibility to keep people's data safe and we've failed to do that."

The organization added that in light of the security incidents it plans to shift to a modern and more secure platform through Microsoft Azure. The move is expected to be completed by April 2020.

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards