[BreachExchange] 1 Million People Had Their Medical Data Exposed in Tū Ora Breach

Tue Oct 8 10:23:36 EDT 2019

https://www.bleepingcomputer.com/news/security/1-million-people-had-their-medical-data-exposed-in-t-ora-breach/

Primary health organization (PHO) Tū Ora Compass Health from New Zealand
disclosed a security breach that led to the exposure of medical and
personally identifiable information (PII) of roughly 1 million people.

PHOs are non-governmental organizations (NGOs) designed to provide support
to the provision of fundamental primary health care services, mostly via
general practices, to enrolled people.

The NGO notified the National Cyber Security Centre, Ministry of Health,
Police, and other law enforcement agencies of the incident after its
discovery on August 5 following the Tū Ora website's defacement.
Roughly 1 million people affected

"Tū Ora holds data on individuals dating back to 2002, from the greater
Wellington, Wairarapa, and Manawatu regions. Anyone who was enrolled with a
medical center in that period could potentially be affected," says Tū Ora's
press security incident advisory.

"The current population of these areas is around 648,000 people, but
including those now deceased or who have moved away from the area, the data
covers nearly 1 million people."

Tū Ora Compass Health is one of 30 Primary Health Organizations (PHO) in
New Zealand. One of the roles of a PHO is to collect and analyze general
practice data. Medical centers provide PHOs like Tū Ora Compass Health some
limited patient data e.g. details of all those who have had immunizations.
[..] Tū Ora also delivers some clinical services such as podiatry, mental
health, and diabetes care. Patient information collected as part of
delivering these clinical services is contained within the Tū Ora IT
systems.

Following the attack, Tū Ora took down the affected servers and started an
investigation which led to the discovery of other previously undetected
intrusions going back to 2016.

Ashley Bloomfield, Ministry of Health Director-General of Health, said
<https://www.health.govt.nz/our-work/emergency-management/cyber-security-incident>
in
a press conference that "there have been four intrusions by different
actors. Two of those would be described as 'hacktivists' and two of them by
more sophisticated actors and that's the extent of the information we have."

"The unauthorized access has now been identified as affecting, to a greater
or lesser degree, five lower North Island-based primary health
organizations that have a relationship with Tū Ora," Bloomfield added.
Exposed patient data

While the NGO doesn't know for sure that patient information has been
accessed as part of these security incidents, the possibility still exists
given that the threat actors behind them had access to all the stored data.

"We hold data that includes, who is enrolled at which medical center, their
National Health Index Number, name, date of birth, ethnicity, and address,"
says <https://www.compasshealth.org.nz/Cyber-Security-Incident> Tū Ora's
advisory.

"We also hold some medical information provided by medical centers to us
that we analyze and provide back to the medical centers to support timely
quality care. [..] We also hold some organizational financial data for the
practices and other health care providers that we work with e.g. invoices
and account details, that enable us to pay for services delivered."

"For some people, Tū Ora also holds additional clinical information used
for health promotion, such as smoking status, for managing chronic
conditions like diabetes, or to deliver services," adds the Ministry of
Health.

Luckily, the breached server did not store banking, credit card, or
financial info, nor did it store passport numbers, tax numbers, or driver
licenses numbers.

In response to the recently discovered security breaches, Tū Ora says that
it will be moving its websites to the Microsoft Azure platform and that it
will be using the Microsoft 365 suite's Advanced Threat Protection, device
and application protection, data loss protection, and full data encryption
features.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191008/522e55fe/attachment.html>