Hack accesses data of million patients
The medical data of up to 1 million people could be in criminal hands after cyber attacks dating back years.
The Wellington, Ka¯piti, and Wairarapa primary health organisation (PHO) Tu¯ Ora Compass Health has confirmed anyone enrolled in a medical centre in the region between 2002 and 2019 could be affected.
Manawatu¯ PHO Think Hauora could also be affected.
While individual doctor notes were not hacked, Tu¯ Ora’s computer system was. The extent that patient files were accessed was impossible to ascertain, chief executive Martin Hefford said.
PHOs held individual data such as medical centre enrolment information including names, ages, ethnicities, and addresses.
It also held data – in a way that could be linked back to individual patients – relating to smoking status and if patients had been advised to limit alcohol intake.
Some information was held on which children were due immunisations, whether diabetes checks were current, whether people over 65 had a flu vaccination, people admitted to hospital for potentially avoid able
conditions, women needing to be recalled for cervical screening, and people due for heart and diabetes checks.
Some services – such as mental health counselling, diabetes care, and podiatry services – were run by the PHO and were possibly accessed.
The current population of the area covered was about 648,000 but, given the information could go back to 2002, nearly 1 million living and dead people could be affected.
The PHO became aware it had been hacked in August after its website was defaced by global cyber security hack ‘‘Vanda the God’’.
The attack sparked Tu¯ Ora to takes services offline, strengthen security, and launch an investigation. That investigation – which included the National Cyber Security Centre, Ministry of Health, and police – found evidence of previous attacks going back to 2016.
‘‘Despite careful investigation, we cannot say for certain whether the cyber attacks resulted in any individual patient information being accessed. It is likely we will never know,’’ Hefford said. It was unclear who was behind the attacks, where they originated from, or what the purpose was, though one theory was harvesting information for the purpose of identity theft, he said.
PHOs oversee primary healthcare such as GPs and primary healthcare nurses. Tu¯ Ora provides primary health through 60 different general practice teams and other health providers. The PHO had publicly released information of the Vanda the God attack but, till now, had not released details about the wider hacks and security breaches.
Hefford said it planned to release this information on October 15 but that was brought forward after inquiries by Stuff.
Ministry of Health directorgeneral Ashley Bloomfield confirmed the ministry was notified. All PHOs and health boards were ordered to review their ‘‘external facing’’ cyber security and report back by October 8. Four of New Zealand’s 30 PHOs had responded by yesterday, as had 12 of New Zealand’s 20 health boards.
None so far had reported issues but each would go through an independent assessment.