National Party attacks Government over Tū Ora PHO hack

The National Party has used news of a cyber security breach at Tū Ora Compass, one of New Zealand’s largest primary health organisations, to attack the Government over its approach to cyber security.

National’s health spokesman Michael Woodhouse said: “This is not the first time there has been a significant data breach under this Government. Just last month there was a breach at the Ministry of Culture and Heritage, where information on children had been accessed. Earlier in the year staff at NZTA were at risk of personal identity theft after a USB drive containing staff identity cards was lost.”

“This breach is more wide-reaching than Tū Ora Compass PHO,” Woodhouse said but provided no evidence for this, saying only that other providers could have been breached.

He called for swift action from the minister for health to reassure New Zealanders that their health records are secure.

The breach was revealed on 5 October when the Ministry of Health issued a press release saying it been working closely with Tū Ora Compass following confirmation of illegal cyber access to its computer system, notified to it by Tū Ora.

“Tū Ora advises this means data may have been accessed for up to an estimated one million people and could include data going back to 2002,” the ministry said.

“The unauthorised access has now been identified as affecting five lower North Island based PHOs that have a relationship with Tū Ora.”

The ministry said it “agrees with Tū Ora that publicising these incidents of unauthorised access is the right thing to do.”

However, Tū Ora was rather less candid. It issued a press release that opened by saying:

“Tū Ora Compass Health's website was defaced during a widespread global cyber incident in August 2019. The August attack prompted Tū Ora to take its server offline, strengthen its IT security, and an in-depth investigation by the relevant authorities was started. This included the National Cyber Security Centre, Ministry of Health, Police and other agencies.

“Today we are announcing that investigations have found evidence of earlier attacks dating back to 2016.”

Tū Ora CEO, Martin Hefford said the organisation was not able to confirm whether patient information had been compromised.

Tū Ora said it held data on individuals dating back to 2002, from the greater Wellington, Wairarapa and Manawatu regions.

“The current population of these areas are around 648,000 people, but including those now deceased or who have moved away from the area, the data covers nearly one million people.”

The ministry said it was working with other PHOs and DHBs to check the security of their systems and, if necessary, ensure this is strengthened. Additional monitoring and cyber 'stress testing' of DHB and PHO computer security is underway.

Director-general of health, Dr Ashley Bloomfield, said: "We have also been working with the Government Communications and Security Bureau's National Cyber Security Centre to investigate this intrusion and check if other PHOs and DHBs might be at risk.

“This work is ongoing and we expect to have an initial assessment in the next two weeks. We are also commissioning further independent reviews of the security of PHO and DHB information systems."