Ministry of Health working with Tū Ora Compass over cyber intrusion

5 October 2019


The Ministry of Health has been working closely with Tū Ora Compass Health PHO following confirmation of illegal cyber access to its computer system. 

Tū Ora notified the Ministry as soon as it became aware of unauthorised access in early August. Further investigation confirmed previous illegal unauthorised access dating back to 2016.  

This means data may have been accessed for up to an estimated 1 million people and could include data going back to 2002.

The unauthorised access has now been identified as affecting five lower North Island based PHOs (Public Health Organisations) which have a relationship with Tū Ora. The illegal access is a crime and has been referred by Tū Ora to the Police.  

"Before making details of the cyber intrusion public, we wanted to ensure the Tū Ora Compass information systems were secure and that there were appropriate supports in place for people who may be concerned at potential disclosure. We were also concerned to ensure publicity wouldn't increase the risk of further online harm," says Dr Ashley Bloomfield, Director-General of Health.

"We have also been taking advice from the Government Communications and Security Bureau. Secure information exchange between health agencies is critical for the provision of modern, high quality healthcare."

The Ministry of Health supports the affected PHOs in publicising these incidents of unauthorised access. Tū Ora Compass PHO has now strengthened its security following the incident.

Dr Bloomfield says anyone concerned about the incidents can contact the Ministry of Health's call centre on 0800 499 500 or +64 6 9276930 for overseas callers.

"Additional supports, such as counselling, health advice or other services are being arranged for those people concerned by the unauthorised access."

The Ministry of Health is working with other PHOs and DHBs to check their systems have also been strengthened. Additional monitoring and cyber 'stress testing' of DHB and PHO computer security is being undertaken. The Ministry is working with health sector agencies to strengthen defences following the testing.  

The Ministry of Health and the GCSB believe the testing now underway will identify areas where further action can be taken to strengthen information security measures at PHOs and DHBs.

The Ministry will be regularly publicly reporting on progress with this work for the remainder of this year.


Ministry of Health media contact
Peter Abernethy
021 366 111

 

Key Questions and Answers

How do I know if my information has been accessed?

If you live in the lower North Island (Palmerston North or lower) then you are likely affected.  However, we don't know if any information was taken.  The five PHOs do not hold consultation notes written by doctors after consulting with you.  Other information including referrals, diagnostic tests, and laboratory results were held and may have been accessed.  The data held by the PHOs goes back to 2002.

How can I find out what's held about me?

We can't at this stage provide information about individuals that was on the IT system due to the way the information was collated and reported.  But we can say what types of information was held.  The Ministry and PHO continue to investigate whether this information, at an individual level, can be realistically provided.

Secure information exchange between health agencies is critical for the provision of modern, quality and evidence-based healthcare.

Is my information still at risk?

Tu Ora Compass PHO has  strengthened its security following the incident.  The Ministry of Health is working with other PHOs and DHBs to check their systems have also been strengthened.

Why did this happen?

The PHO's investigation shows that its systems were vulnerable due to it having outdated software which was no longer being updated to ensure it remained protected.  The PHO was in the process of updating its software when it became aware of the breach.

Who is to blame?

The key focus to date has been on ensuring the cyber security risks are managed.  There remains ongoing work to look at who was at fault and how we can improve systems to limit the chances of this occurring again.

Can this happen again?

The Ministry of Health is working with other PHOs and DHBs to check their systems have also been strengthened.  This work is expected to take around 3-4 months.  The Ministry will be publicly reporting on the outcome of this work.

Why are there so many instances of information breaches of information?

CERT NZ The Government's Computer Emergency Response Team received close to 1200 reports in the three months to 30 June this year - the bulk of them being scams or fraud. The health sector is not immune from this. The health sector continues its programme to strengthen its cyber security.  We know cyber crime will continue to be an ongoing threat.

Why did it take so long for the problem to be found?

The investigation revealing the breaches in the past was triggered by the defacing of the website.  The same week the PHO was planning to start the upgrade of its cyber security.  The PHO acted as soon as the defacing of the website occurred. The Ministry of Health is now working with PHOs on strengthening their cyber security.

How long have you known and why did you take so long to tell everyone?

Health authorities have known since 5 August 2019 and since then have been working to provide more information about the incident - Tu Ora published a media release on 15 August 2019 about its website being defaced.  

As part of responsible disclosure, public health authorities wished to ensure there were appropriate supports in place for people who may be concerned at the potential disclosure - as well as taking steps to ensure publicity wouldn't increase the risk of further online harm. 

Testing and monitoring of other PHOs and DHBs has been carried out and security measures improved for those organisations.


Tanya Katterns
PIM NHCC
Ministry of Health
DDI:
Mobile:

http://www.health.govt.nz
Tanya.Katterns@health.govt.nz

Last updated: October 5, 2019