Tū Ora Compass Health fails to secure sensitive data of million people

Health organization faces a data breach that exposed personal medical information of roughly 1 million people

Tū Ora Compass data breachNew Zealand health provider addresses a security breach that potentially exposed information about million people.

The primary health organization from New Zealand, Tū Ora Compass Health, revealed that data breach resulted in possibly leaked information from their servers.[1] Discovered attacks prompted the company to take servers offline and increase the security, but they admitted to not being able to keep the personal data secure.

The initial discovery surfaced after the investigation was conducted due to a cyberattack spotted on August 5, which resulted in the defacement of Tū Ora's official website. The incident led to a more in-depth analysis of cybersecurity infrastructure, and, as it turned out, the evidence was found of cyberattacks that date back to 2016. According to the official advisory from Tū Ora,[2] there is a chance that the unknown attackers may have acquired administrative rights to the system that stored sensitive details of approximately 1 million people.

According to Tū Ora press release, anyone enrolled in the medical center in the Wellington, Kāpiti, and Wairarapa region between 2002 and 2019 could be affected by the breach:

The current population of these areas are around 648,000 people, but including those now deceased, or, who have moved away from the area, the data covers nearly 1 million people.

The exposed personal patient data did not include financial information

The PHO states the broader investigation of security measures of Tū Ora found that more security incidents took place from 2016 and March 2019. Tū Ora Compass Health says that information about people who are registered at the medical center includes National Health Index Numbers, names, birth dates, addresses, and their ethnicity.

Also, primary information records about long-term conditions, immunization, checks on patients' diabetes, demographics, cervical screenings, and data on recent flu shots are held on the same server. This information contains records for those who are over 65 years of age at the moment. Financial data regarding the practices and other health care providers that work with Tū Ora Compass also may be leaked, including invoices and account details related to payments for services.

The company cannot say if customer data got really accessed or stolen, and many experts state that it is not that easy to know. It is assumed that people's information got leaked, so the company is responsible for informing all potential victims of this data breach. Luckily, information like banking or credit credentials, passport, and driver licenses numbers were not stored on the breached server.[3]

Tū Ora Compass will move on to Microsoft Azure for better security

After the recent discoveries and history of cyberattacks in the industry, the company reacts and says that their websites will be moving to the Microsoft Azure platform that uses Microsoft 365 suite's Advanced Threat Protection. This feature also allows device and application protection, data loss protection, and full file encryption feature. This is not the first health industry organization making this particular change.[4]

It is assumed that administrative rights may have been compromised during the cybersecurity incident, but Chief executive Martin Hefford stated that is was not known whether hackers obtained such rights to the PHO servers.[5] Experts ruled out any risks that hackers may interfere with medical center systems and access other networks.

However, this situation should be under control since Privacy Commissioner John Edwards confirmed his office was notified shortly after the data breach discovery. Patients should be aware since there is no guarantee that information was not exfiltrated by a third-party.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions