The Ministry of Health has been working closely with Tū Ora Compass Health Primary Health Organisation (PHO) following confirmation of illegal cyber access to its computer system.
Tū Ora notified the Ministry as soon as it became aware of unauthorised access in early August. Further investigation confirmed earlier illegal unauthorised access dating back to 2016.
Tū Ora advises this means data may have been accessed for up to an estimated 1 million people and could include data going back to 2002.
The unauthorised access has now been identified as affecting five lower North Island based PHOs that have a relationship with Tū Ora. The illegal access is a crime and has been referred by Tū Ora to the Police.
The Ministry of Health agrees with Tū Ora that publicising these incidents of unauthorised access is the right thing to do.
"Before making details of the cyber intrusion public, we wanted to ensure the Tū Ora Compass information systems were secure and that there were appropriate supports in place for people who may be concerned at potential disclosure. We also needed to ensure publicity wouldn't increase the risk of further online harm," says Dr Ashley Bloomfield, Director-General of Health.
Tū Ora Compass has now strengthened its security following the incident. Dr Bloomfield says anyone concerned about the incidents can contact the Ministry of Health's call centre on 0800 499 500 or +64 6 927 6930 for overseas callers.
"Additional supports, such as counselling, health advice or other services, have been arranged for people distressed or anxious about the unauthorised access."
Secure information exchange between health agencies is critical for the provision of modern, high quality healthcare. The Ministry of Health is working with other PHOs and DHBs to check the security of their systems and, if necessary, ensure this is strengthened. Additional monitoring and cyber 'stress testing' of DHB and PHO computer security is underway.
"We have also been working with the Government Communications and Security Bureau's National Cyber Security Centre to investigate this intrusion and check if other PHOs and DHBs might be at risk. This work is ongoing and we expect to have an initial assessment in the next two weeks. We are also commissioning further independent reviews of the security of PHO and DHB information systems."
The Ministry of Health and the GCSB believe the testing now underway will identify areas where further action can be taken to strengthen information security measures at PHOs and DHBs. The Ministry will be publicly reporting on progress with this work for the remainder of this year.
Background
Primary health organisations (PHOs) are non-governmental organisations that support the provision of essential primary health care services, mostly through general practices, to people who are enrolled with the PHO.