Cyber security incident

Information about the illegal cyber intrusion at Tū Ora Compass Health Primary Health Organisation.

Updates

26 November 2019: Further information released

The Ministry has released key briefings and background information about the Tū Ora Compass Health cyber security incident. Read more in the information releases section.

25 October 2019: Cyber testing of 600 health websites

As a result of the illegal unauthorised access of Tū Ora Compass Health, the Ministry has been working with the NZ National Cyber Security Centre (NCSC) to complete scans of websites operated by DHBs and PHOs.

What’s happened?

The Ministry of Health was informed in August 2019 about unauthorised intrusion to the digital information systems of Tū Ora Compass Health.

Tū Ora provides data management services to THINK Hauora, and some patient services to Cosine, Te Awakairangi Health Network and Ora Toa. The current population of these areas is around 648,000 people. Including those now deceased or who have moved away from the area, we're advised by Tū Ora that the data may cover nearly 1 million people.

Tū Ora does not hold your GP notes; these are held by individual medical centres. This means notes made on consultations patients have had with GPs. It also does not include patient portal or shared care record information.

The data does include who is enrolled at which medical centre, their National Health Index Number, name, date of birth, ethnicity and address. For some people Tū Ora also holds additional clinical information used for health promotion, such as smoking status, for managing chronic conditions like diabetes, or to deliver services.

Because of the way information is fragmented and stored, we probably won’t ever be able to say with certainty whether data was illegally accessed, and, if so, what information and about whom. However, we are working on the assumption that it is likely that at least some of this information has been accessed.

Privacy and confidentiality are fundamental concepts at the heart of health care in Aotearoa New Zealand and key to building trust in our health system. We acknowledge how concerning this incident is, especially for people enrolled at the affected primary health organisations and the health professionals who work there.

You might be wondering what a primary health organisations (PHO) is. PHOs are non-governmental organisations that support the provision of essential primary health care services, mostly through general practices, to people who are enrolled with the PHO.

Anyone concerned about the incidents can contact the Ministry of Health's call centre on 0800 499 500 or +64 6 927 6930 for overseas callers.

And if this news and the media coverage of these events is causing anxiety or stress for you, think about getting support by calling or texting 1737 for free, any time 24 hours a day, 7 days a week, to talk it through with a trained counsellor.

Information is also available on the Tū Ora website.

What is the Ministry doing to respond?

The National Health Coordination Centre is coordinating the health system’s national response to the incident, working with primary health organisations.

We’ve been making sure systems are in place to support people whose information might have been affected. We immediately launched a response while strengthening information systems against further unauthorised access, working with primary health organisations, district health boards and other Government agencies. This ensures the best resources available are working on the response, and reflects the priority the Government places on New Zealanders’ privacy and security.

Why aren’t you giving us more information?

The scope of the incident isn’t clear at the moment and we’re still getting information at this stage. This means we don’t have as much information to share with you as we’d like. It also means your general practice or primary health organisation won’t be able to give you any more details at the moment.

Live stream update – Saturday 5 October 2019, 11am

 

[Ministry spokesperson] Thanks very much for coming to the Ministry of Health. We've got Shayne Hunter, our Deputy Director General of Data and Digital and Ashley Bloomfield, our Director General of Health, Dr
Ashley Bloomfield.

I'll hand over to Ashley ...

[Dr Ashley Bloomfield] Thanks Peter.

Mōrena koutou, welcome to the  Ministry of Health, Manatū Hauora and thank you very much for attending the briefing here this morning so as Peter said, I'm Dr. Ashley Bloomfield.

I'm the Director General of Health. With me today is Shayne Hunter, he's our Deputy Director General for Data and Digital.

The program for the briefing is I will speak, then Shayne and I will be available to answer any questions you may have.

Then I'll be available for any one-on-one interviews you might want to do after the briefing wraps up.

As you've been made aware, at the briefing earlier this morning, Tū Ora, Compass Health PHO, notified the Ministry of Health in early August, that it had been subjected to an illegal cyber intrusion.

This became evident following the defacement of its public-facing website.

At the same time, the national cybersecurity center, or NCSC, which is within the Government Communications Security Bureau, was notified.

And the NCSC has been working closely with ourselves and Tū Ora, to ensure that - order Tū Ora systems are secure, to investigate the incident, and to support the appropriate response.

The Ministry of Health and the wider health sector take the need to ensure security and privacy of health information very seriously.

Secure information exchange between health agencies is critical for the provision of modern quality and evidence-based health care.

There has been a significant focus on this, since the mid-1990s, with obligations outlined in the 1994 health information privacy code and contracts with PHOs require them to comply with the provisions of
that code and with the Privacy Act 1993.

While Tū Ora Compass is a non-government organization, obviously the ministry is very concerned about this cyber incident and its potential impact on individuals whose data may have been accessed.

We have initiated several actions to assure ourselves and the wider public that all reasonable steps are being taken to ensure their health information is safe and secure.

The first action undertaken was further investigation of the August intrusion on the Tū Ora website, which confirmed previous illegal unauthorized access to its systems dating back, as you know, to 2016.

As Tū Ora has advised, this means data may have been accessed for up to an estimated 1 million people and it could include data going back to 2002.

While we do not know for certain whether data has or hasn't been accessed we are working on the basis that it is likely that at least some data has been accessed since 2016.

The unauthorized access has now been identified as affecting, to a greater or lesser degree, five lower North Island based primary health organizations that have a relationship with Tū Ora.

As you are also aware, this illegal access is a crime and it has been referred by Tū Ora to the police.

Once we understood the nature and extent of the cyber incident from the investigation, the second action we undertook on the 19th of September was that the Ministry of Health and the NCSC initiated a scan
of the websites of all district health boards and PHOs across the country and to assess whether they had vulnerabilities similar to the ones exploited on the Tū Ora website and then to see if there is any
evidence of illegal intrusion as a result of any vulnerabilities identified.

That work is ongoing and is expected to be completed next week.

At the same time, the Ministry asked DHBs and PHOs to assure themselves, and confirm to us, that their externally-facing systems have appropriate security and privacy controls in place.

Responses to this request are due by the 9th October and by yesterday we had received responses from 19 of 20 DHBs and 15 of 30 PHOs.

I reiterated that request and the importance and seriousness of it during a teleconference yesterday with District Health Board and PHO chief executives.

The third action we have initiated is to commission independent external reviews of the externally-facing systems for all DHBs and PHOs.

Now in some cases, these organizations have commissioned external audits or reviews themselves and we will arrange for these to be independently assessed to ensure they satisfy our expectations regarding
appropriate security and privacy of information.

That work is just getting underway and will take some months.

We will take immediate action to address any problems identified and we will provide public updates as it progresses.

I want to reiterate the seriousness, the seriousness with which the Ministry of Health is taking this event and the efforts underway to address the problem and to support people affected.

The Ministry established an incident management team at the beginning of last week to oversee our response and we will continue to work closely with Tū Ora to support people affected through the dedicated
helpline

which you know about and if required, through through further referral to other services.

I can also assure the public that we are working as quickly as possible to ensure that similar events do not occur at other PHOs or DHBs and we are initiating a program of work to strengthen cybersecurity
across the health system so people can be confident that their health information is secure.

Finally I would like to ask the media to take care in balancing the need to inform the public, with the need not to cause people undue concern or inadvertently increase the risk of further cyber intrusions,
scams or fraud.

Thank you very much.

I'm open to questions now.

[Question from a journalist] In terms of the Ministry, what do you know about hacks?

Do you know where this has come from?

Anything in particular?

[Dr Ashley Bloomfield] What we know is, as you heard earlier, there have been four intrusions by different actors.

Two of those would be described as 'hackavists' and two of them by more sophisticated actors and that's extent of the information we have.

[Question from a journalist] Do you have reason to believe that it's local or international?

[Dr Ashley Bloomfield] I simply can't say - I don't have that information.

[Question from a journalist] In your searching of the DHBs and PHOs, has anything come out of that so far?

[Dr Ashley Bloomfield] Yes, so far we have had three the DHBs identify a potential vulnerability in websites.

Those websites have been taken down I understand.

[Shayne Hunter]... or secured.

[Dr Ashley Bloomfield] Subsequently there's no evidence that any of those vulnerabilities had resulted in a breach.

[Question from a journalist] Is this good enough?

[Dr Ashley Bloomfield] Well what is good, is that we have found those and that they have been addressed.

And in terms of the wider issue with this serious breach, is that good enough? It's people's sensitive data.

[Dr Ashley Bloomfield] Well what I can also say, is that none of those websites had any patient data on them, so those were websites, one for example was a website with health education information.

The vulnerabilities were found and they've been addressed.

[Question from a journalist] Was that the same vulnerability that affected Tū Ora or a different one?

[Dr Ashley Bloomfield] Shayne can you comment on that?

[Shayne Hunter] One of them is that is the vulnerability which was the webhack that hit Tū Ora, the other two I can't comment on in terms of the vulnerabilities, I don't know.

What I do know is that they've been secured or that the service has been taken offline.

[Question from a journalist] Could you walk us through what the vulnerability is so that we can understand the issue?

[Shayne Hunter] I don't think it's appropriate to get into the detail.

One of the issues I think you would have heard Martin say, and we believe this is absolutely the right thing to do, is to not talk specifics, because it just opens up the opportunitiesfor the cybercriminals
to go after specific opportunities.

So I'd rather not go into the detail.

[Question from a journalist] In terms of the scans - they're generally routine checks about the security of all of us, or is it just not monitored before now and if not, will there be consistent checks,
making sure that everything's all good?

[Dr Ashley Bloomfield] Yes I'll make a couple of comments and Shayne may want to come in as well.

First of all, we do require and rely on organizations including our DHBs and PHOs to have appropriate systems and appropriate measures in place to ensure patient information in particular is secure and
private, and we require them to provide us with an assurance of that.

As part of that they should be assuring themselves and periodically getting independent audits of that.

What we are doing at the moment, with the scan, is checking their websites to see if they have similar vulnerabilities to the one that was exploited on the Tū Ora Compass website.

That process is underway and we are also going to do this deeper review of each PHO and DHB website.

And as part of that review, what future regular monitoring or auditing we might either undertake or expect those organizations to do.

Shayne did you have any further comments?

[Shayne Hunter] What I would say is that since I've been in health, which goes back to the mid-nineties, security and privacy of information has been one of the top topics and I don't think there's a an IT
manager, or a CIO, or chief digital officer in the country that doesn't worry about cyber.

They do they do invest time and money and ensuring that things are protected but it is a game of cat and mouse keeping up with these people, so there are also regular audits that are done across the sector
by different organizations that are either driven by external or internal audits so it's certainly not passive.

There is activity in order to protect, but as I say it's a challenge keeping up with these people from time-to-time, things will happen.

[Dr Ashley Bloomfield] I think one other comment, is that it's a very reminder of the importance of doing the basics - in particular timely patching or updating of software, because that was the
vulnerability that was exploited with Tū Ora and whilst they had the intention of updating they were caught in that window so it's a really timely reminder to all organizations to undertake any updating f
software or patching of software as quickly as possible as soon as any vulnerabilities are identified.

I think they open themselves up to the intrusion that happened and they have apologized for that and taken accountability for it.

[Question from a journalist] You mentioned something about five practices in the lower North Island.

What were you talking about there?

[Dr Ashley Bloomfield] Five different primary health organizations in the lower North Island which have data held by Compass because of the nature of the different services provided but for most of those PHOs other than the Tū Ora Compass one, it includes just a small amount of patient information.

[Question from a journalist] What were those five organisations?

[Dr Ashley Bloomfield] So the the five primary health organisations are: Tū Ora Compass obviously, Think Health, Te Awa Kairangi Health Network in the Hutt Valley, Ora Toa PHO and Cosine PHO.

[Question from a journalist] In terms of worst case scenario, because Tū Ora can't confirm that this data has been completely breached, if someone, in the long run, who has been impacted by this, does find that their identity or their medical records or whatever, is used in a way that is innapropriate, what steps, what happens next?

Is there something that you guys can do?

[Dr Ashley Bloomfield] Well, we haven't given that too much thought as yet.

What we are interested at this point in time is ensuring there's support for people who either want to know information, or if people are particularly concerned or anxious, that they can talk to someone
about that.

At this stage we have no evidence, by the way, of whether the information or data has been actually taken or any evidence that if it has been taken, that it's been used.

Obviously, if there is evidence emerging of that, then we will absolutely look at that and be working with other agencies across government to see what actions we might need to take.

[Question from a journalist] This is another data breach - it's been a year of data breaches hasn't it?

Have you got anything to say about what else could be coming?

[Dr Ashley Bloomfield] Well, no I can't.

What I can say is that obviously, we've got a really key role to play as the stewardship role for the health system and we've undertaken a number of actions already off the back of this data breach, which
is a very significant and important one because it involves people's health information and so that's why we've stepped up a very significant response and we'll keep the public informed about that activity.

[Question from a journalist] You were made aware of this in early August. Why did it take two months to let the public know?

[Dr Ashley Bloomfield] That's a good question and here are several reasons for that.

First of all, we wanted to undertake the investigation with the National Cyber Security Center to look into the breach, and as you know now, that uncovered further additional illegal intrusions.

We needed a good understanding of what that was.

Secondly we wanted to then be able to ensure that the vulnerabilities identified weren't present elsewhere in the system to the extent we could, so that we could head-off any further trouble and the third
thing is we really wanted to get in place appropriate support and stand-up dedicated our 0800 number with people trained to talk to anyone who was concerned so we were wanting to do, what we  know is a
responsible disclosure and we were well down the path to planning and delivering that.

As I said earlier, the scan that we're doing to look at all other PHO and DHB websites is due for completion next week.

We were planning to wait for that to be completed, then to go public, however we were ready and once the information was out there, we are now front-footing this.

[Question from a journalist] The 0800 number is live?

[Dr Ashley Bloomfield] Yes, that went live at three o'clock yesterday afternoon.

If there are no more questions, let's wrap things up.

I am available if you want to do any one-on-one interviews.

Thank you again.

Back to top