The medical and personal information of about 1 million people was exposed after a breach of Tū Ora Compass Health, a primary health organization (PHO) located in New Zealand.
The non-governmental organization (NGO) discovered four
intrusions – by what Ministry of Health Director-General of Health
Ashley Bloomfield said were two hacktivists and two “more
sophisticated actors” – on August 5 after its website was defaced.
The breach “illustrates how third-party healthcare cybersecurity remains a pressing problem throughout the world,” said Elad Shapira, head of research at Panorays, who noted that Tū Ora connected to 60 different general practice teams and other health providers and, like other healthcare companies, collected “some of our most sensitive and confidential data: personal and demographic information, financial statements, health details and insurance policies” that attackers can use for identity theft, insurance fraud, financial gain and blackmail.
“Amassing hundreds of thousands of
patient records in a single database increases the risk of compromising patient
data should a breach occur,” said Paul Edon, senior director (EMEA) at Tripwire.
Tū Ora has retained data on patients “dating back to 2002, from the greater Wellington, Wairarapa and Manawatu regions. Anyone who was enrolled with a medical center in that period could potentially be affected,” a New Zealand Herald report cited a Tū Ora press security incident advisory as saying, noting that while the current population of those regions was around 648,000, the list of those affected included people who are deceased or who have moved, bringing the total to about 1 million.
“According to the data
breach statement, 17 years’ worth of personal data was potentially accessed not
once, but four times before detected,” said Jonathan Deveaux, head of
enterprise data protection at comforte AG. “Unfortunately, there did not
seem to be protections placed on the data itself, which means the personal data
was left in clear text form. It’s a good thing that no payment info, tax
numbers, passport numbers, nor driver’s license numbers were on the server;
otherwise, those data elements would have been exposed as well.”
Securing patients’ data requires healthcare
organizations to “go beyond simply being compliant with security frameworks and
ensure that their environment is duly protected against unauthorized changes
and misconfigurations which can make their environment susceptible to a cyberattack,”
said Edon. “Given the increased cyberattacks against healthcare organizations,
it is simply no longer sufficient to be merely be compliant with security
frameworks. When retaining this kind of data it is critical to
choose an encryption solution that not only protects the database instances but
also provides protection for data in transit and at rest.”