Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Beccara

1287 posts

Uber Geek


#257474 5-Oct-2019 10:55
Send private message

https://www.stuff.co.nz/dominion-post/news/116318497/up-to-1-million-new-zealand-patients-data-breached-in-criminal-cyber-hack

 

Up to 1 million New Zealanders could have their medical data in criminal hands after cyber attacks dating back years.

 

Wellington, Kāpiti, and Wairarapa's primary health organisation (PHO) Tū Ora Compass Health confirmed anyone enrolled in a medical centre in the region between 2002 and 2019 could be affected. Manawatū PHO THINK Hauora could also be affected.

 

While individual GP notes were not hacked, Tū Ora's computer system was. The extent that patient files were accessed was impossible to ascertain, chief executive Martin Hefford said.

 

 

 

Will be interesting to see the fallout from this, PHO's have been getting more and more into data collection and primary care's security is pretty weak. I wonder if the Privacy commissioner is going to make an example out of them





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
Beccara

1287 posts

Uber Geek


  #2330006 5-Oct-2019 13:17
Send private message

Some more info here:

 

 

 

https://www.nzherald.co.nz/sport/news/article.cfm?c_id=4&objectid=12273866

 

He said the review of health-related systems had since found three district health boards vulnerable to cyber attack.

 

The review identified four hacks: two by cyber "hacktavists" such as Vanda The God, and two others by more "sophisticated" parties.

 

 

 

 





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

Lias
4257 posts

Uber Geek

Trusted
Lifetime subscriber

  #2331206 6-Oct-2019 08:16
Send private message

Words cannot express how unimpressed I am, suffice to say that at this point my preferred outcome is public stoning....





 
 
 
 


frankv
3941 posts

Uber Geek

Lifetime subscriber

  #2331211 6-Oct-2019 08:33
Send private message

 

While individual GP notes were not hacked, Tū Ora's computer system was.

 

 

Whilst medical information is not held by the PHO, some does pass through it. I guess that a sophisticated hacker might be able to copy that stream to their own site.

 

 


Starlith
87 posts

Master Geek

Trusted

  #2331217 6-Oct-2019 09:02
Send private message

Pretty much NHI, name/contact info etc and whatever from the ManageMyHealth portal.

 

Whats really crap is that you can't opt out of your data being collected by the PHO when you enrol into GP's clinics. Another crap things is that there is a high likelyhood it will happen again or has already happened elsewhere until these PHOs start prioritising data security to vendors. But even then you are just mean't to trust in the DHB PHO that your data is in the safe hands of their 3rd party vendor.

 

Ministry of Health has no security guidelines for the DHB's on their website but it doesn't mean there is no framework for them to follow.

 

DHB's are struggling enough for funding and then they have to offload their data collection to a 3rd party vendor, this DHB system is such a waste of time, money and resources. Time for the govt to step in and take that power away or atleast come up with a system that works for everyone. At the moment my info is part of the hack but I now live in Auckland under a different PHO with possibly a different 3rd party vendor. It's like living in a different country.


surfisup1000
4876 posts

Uber Geek


  #2331354 6-Oct-2019 11:51
Send private message

So, given they must be hiring IT people on 100k plus salaries... how can this happen? 

 

They say the 'computer system' was hacked.   I wonder how, through website vulnerabilities what allowed remote code execution, or is this some kind of remote access password that was guessed.   

 

Or, was their server OS directly hacked using known exploits because they had not been applying updates -- (maybe they are still on windows 7????). 

 

From talking with some people in government departments/councils, there are a multitude of archaic and poorly designed applications and databases. 

 

 


michaelmurfy
/dev/null
9641 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2331360 6-Oct-2019 12:17
Send private message

surfisup1000:

 

Or, was their server OS directly hacked using known exploits because they had not been applying updates -- (maybe they are still on windows 7????). 

 

From talking with some people in government departments/councils, there are a multitude of archaic and poorly designed applications and databases. 

 

Medtech32 uses Interbase normally deployed on a Windows Server box inside the practise. I believe Compass Health was using Medtech32 up until recently. This should be closed off to the internet but there is also a SecureME router operating to provide access to the VPN's needed to connect to the ministry of health (also used in Pharmacies).

 

Edit: after some thinking I suspect the hack may have come out of another VPN that may have connected Compass Health together.





Beccara

1287 posts

Uber Geek


  #2331380 6-Oct-2019 13:47
Send private message

Starlith:

 

Ministry of Health has no security guidelines for the DHB's on their website but it doesn't mean there is no framework for them to follow.

 

 

 

 

https://www.health.govt.nz/publication/hiso-100292015-health-information-security-framework

 

 

 

It exists along with the NZISM





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

 
 
 
 


marej
186 posts

Master Geek


  #2331432 6-Oct-2019 15:22

Starlith:

 

Pretty much NHI, name/contact info etc and whatever from the ManageMyHealth portal.

 

Whats really crap is that you can't opt out of your data being collected by the PHO when you enrol into GP's clinics. Another crap things is that there is a high likelyhood it will happen again or has already happened elsewhere until these PHOs start prioritising data security to vendors. But even then you are just mean't to trust in the DHB PHO that your data is in the safe hands of their 3rd party vendor.

 

Ministry of Health has no security guidelines for the DHB's on their website but it doesn't mean there is no framework for them to follow.

 

DHB's are struggling enough for funding and then they have to offload their data collection to a 3rd party vendor, this DHB system is such a waste of time, money and resources. Time for the govt to step in and take that power away or atleast come up with a system that works for everyone. At the moment my info is part of the hack but I now live in Auckland under a different PHO with possibly a different 3rd party vendor. It's like living in a different country.

 

 

 

 

You can request what the MoH hold about you under the privacy act.  You will be surprised about how much medical information they do hold about you....Once  you put together what providers you use, and what prescriptions you have been given, it doesnt take a genius to put it all together soley from the NHI database.


Kyanar
3214 posts

Uber Geek

Trusted
Subscriber

  #2331606 6-Oct-2019 23:52
Send private message

marej:

 

You can request what the MoH hold about you under the privacy act.  You will be surprised about how much medical information they do hold about you....Once  you put together what providers you use, and what prescriptions you have been given, it doesnt take a genius to put it all together soley from the NHI database.

 

 

Yes, but your average crim cannot get to the NHI because they don't have access to Connected Health. Unless they compromise a poorly secured third party who does have a Connected Health link... they really need to clamp down on poorly secured endpoints because there's a lot of incredibly sensitive information that you can infer based on certain things (e.g. you could infer that a person is HIV positive or gay if they have a Truvada prescription - and then if that person is in a position of power you could exploit that knowledge).


l43a2
1616 posts

Uber Geek

Trusted

  #2331607 6-Oct-2019 23:55
Send private message

michaelmurfy:

 

surfisup1000:

 

Or, was their server OS directly hacked using known exploits because they had not been applying updates -- (maybe they are still on windows 7????). 

 

From talking with some people in government departments/councils, there are a multitude of archaic and poorly designed applications and databases. 

 

Medtech32 uses Interbase normally deployed on a Windows Server box inside the practise. I believe Compass Health was using Medtech32 up until recently. This should be closed off to the internet but there is also a SecureME router operating to provide access to the VPN's needed to connect to the ministry of health (also used in Pharmacies).

 

Edit: after some thinking I suspect the hack may have come out of another VPN that may have connected Compass Health together.

 

 

 

 

sounds like murfy was involved :P 






Beccara

1287 posts

Uber Geek


  #2331680 7-Oct-2019 07:54
Send private message

Kyanar:

 

marej:

 

You can request what the MoH hold about you under the privacy act.  You will be surprised about how much medical information they do hold about you....Once  you put together what providers you use, and what prescriptions you have been given, it doesnt take a genius to put it all together soley from the NHI database.

 

 

Yes, but your average crim cannot get to the NHI because they don't have access to Connected Health. Unless they compromise a poorly secured third party who does have a Connected Health link... they really need to clamp down on poorly secured endpoints because there's a lot of incredibly sensitive information that you can infer based on certain things (e.g. you could infer that a person is HIV positive or gay if they have a Truvada prescription - and then if that person is in a position of power you could exploit that knowledge).

 

 

 

 

CH has been a rudderless ship for a while now, It's been considered to be phased out and new systems aren't using it except for legacy connections





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

wellygary
5012 posts

Uber Geek


  #2331749 7-Oct-2019 10:26
Send private message

These guys look like they are totally out of their depth for running an organisation with so much data at risk

 

https://compasshealth.org.nz/Cyber-Security-Incident

 

What happened?....What became clear during the investigation was evidence of previous attacks by cyber criminals dating back to 2016.

 

Despite careful investigation, we cannot say for certain whether or not the cyber-attacks resulted in any individual patient information being accessed. It is likely that we will never know

 

Why don’t you know whether patient data was accessed?We do not have Audit logs back to 2016.

 

Can I find out what information Tū Ora holds on me? Not yet. We do not store your information as one health record. Information is collected for specific claiming and reporting purposes and we don’t have a process to amalgamate the data yet. We are working on this.

 

How can I opt out of my data being collected by my GP? At the moment is not possible to opt out of this arrangement due to system limitations. But we are working with the Ministry of Health and other agencies to consider this for the future.

 

 

 

.....

 

So, basically people are forced to give their data to this bunch of muppets who can't even comply with the basic provisions of the privacy act ( principle 6, access to your own information)....


dt

dt
726 posts

Ultimate Geek


  #2331750 7-Oct-2019 10:29
Send private message

Has anyone found a way to check if your personal data was stolen in the breach? 


wellygary
5012 posts

Uber Geek


  #2331753 7-Oct-2019 10:36
Send private message

dt:

 

Has anyone found a way to check if your personal data was stolen in the breach? 

 

 

They can't tell you.....

 

Can I find out what information Tū Ora holds on me? Not yet. We do not store your information as one health record. Information is collected for specific claiming and reporting purposes and we don’t have a process to amalgamate the data yet. We are working on this.

 

 


tripper1000
1252 posts

Uber Geek


  #2331787 7-Oct-2019 11:24
Send private message

I can just imagine the phishing spam being written right now - "Give me $350 USD in bitcoin or I'll tell all your facebook friends about your STD".

 

For those that haven't seen it before:

 

https://haveibeenpwned.com/


 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic





News »

Vodafone enables 5G roaming - for when international travel comes
Posted 30-Oct-2020 15:03


Spark awards funding to Kiwi businesses in 5G funding initiative
Posted 30-Oct-2020 14:58


Huawei launches IdeaHub Pro in New Zealand
Posted 27-Oct-2020 16:41


Southland-based IT specialist providing virtual services worldwide
Posted 27-Oct-2020 15:55


NASA discovers water on sunlit surface of Moon
Posted 27-Oct-2020 08:30


Huawei introduces new features to Petal Search, Maps and Docs
Posted 26-Oct-2020 18:05


Nokia selected by NASA to build first ever cellular network on the Moon
Posted 21-Oct-2020 08:34


Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.