Hacker offers to sell medical data
A mass hack has placed in jeopardy the medical details of a million people.
The Ministry of Health is in the dark over what — if anything — was taken in the cyber attack two months ago. It has admitted the hack attack revealed previous cyber intrusions going back to 2016 with data back to 2002 at risk.
The hack attack appears to have come from a hacker or hackers dubbed Vanda The God, which yesterday tweeted: “Yes I’m Have 1 million datas PHO Zealand.”
The tweet came with an offer to sell information.
The hack successfully targeted systems at Tu¯ Ora Compass Health, which provides data services to Think Hauora and patient services to Cosine, Te Awakairangi Health Network and Ora Toa.
There are about 648,000 people in the areas covered by the groups although the number of those affected could be up to one million when counting those who had died or moved.
Director-General of Health Dr Ashley Bloomfield said the National Cyber Security Centre had been working with health authorities since the hack was discovered in early August.
He said a decision had been made to not tell the public while effort went into checking how vulnerable other systems were, and while trying to discover if any been taken.
The review of health-related systems, which was ongoing, had since found three district health boards vulnerable to cyber attack. It would include all health boards and public health organisations.
The Ministry of Health said the data at risk included who is enrolled at which medical centre, their National Health Index Number, name, date of birth, ethnicity and address. It could also include clinical information for health promotion, such as smoking status, for managing chronic conditions like diabetes, or to deliver services.
Tu¯ Ora Compass Health chief executive Martin Hefford said the August 5 hack was part of a “global cyber incident” which led to an investigation revealing the earlier attacks from 2016 through to March 2019.
“We don’t know the motive behind the attacks. We have laid a formal complaint with police and they are investigating. We cannot say for certain whether the cyber attacks resulted in any patient information being accessed. Experts say it is likely we will never know. However, we have to assume the worst and that is why we are informing people.” data had actually