Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1124 posts

Uber Geek


# 257474 5-Oct-2019 10:55
One person supports this post
Send private message quote this post

https://www.stuff.co.nz/dominion-post/news/116318497/up-to-1-million-new-zealand-patients-data-breached-in-criminal-cyber-hack

 

Up to 1 million New Zealanders could have their medical data in criminal hands after cyber attacks dating back years.

 

Wellington, Kāpiti, and Wairarapa's primary health organisation (PHO) Tū Ora Compass Health confirmed anyone enrolled in a medical centre in the region between 2002 and 2019 could be affected. Manawatū PHO THINK Hauora could also be affected.

 

While individual GP notes were not hacked, Tū Ora's computer system was. The extent that patient files were accessed was impossible to ascertain, chief executive Martin Hefford said.

 

 

 

Will be interesting to see the fallout from this, PHO's have been getting more and more into data collection and primary care's security is pretty weak. I wonder if the Privacy commissioner is going to make an example out of them





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3


1124 posts

Uber Geek


  # 2330006 5-Oct-2019 13:17
Send private message quote this post

Some more info here:

 

 

 

https://www.nzherald.co.nz/sport/news/article.cfm?c_id=4&objectid=12273866

 

He said the review of health-related systems had since found three district health boards vulnerable to cyber attack.

 

The review identified four hacks: two by cyber "hacktavists" such as Vanda The God, and two others by more "sophisticated" parties.

 

 

 

 





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

3872 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2331206 6-Oct-2019 08:16
One person supports this post
Send private message quote this post

Words cannot express how unimpressed I am, suffice to say that at this point my preferred outcome is public stoning....





Information wants to be free. The Net interprets censorship as damage and routes around it.


 
 
 
 


2987 posts

Uber Geek

Lifetime subscriber

  # 2331211 6-Oct-2019 08:33
One person supports this post
Send private message quote this post

 

While individual GP notes were not hacked, Tū Ora's computer system was.

 

 

Whilst medical information is not held by the PHO, some does pass through it. I guess that a sophisticated hacker might be able to copy that stream to their own site.

 

 


72 posts

Master Geek


  # 2331217 6-Oct-2019 09:02
2 people support this post
Send private message quote this post

Pretty much NHI, name/contact info etc and whatever from the ManageMyHealth portal.

 

Whats really crap is that you can't opt out of your data being collected by the PHO when you enrol into GP's clinics. Another crap things is that there is a high likelyhood it will happen again or has already happened elsewhere until these PHOs start prioritising data security to vendors. But even then you are just mean't to trust in the DHB PHO that your data is in the safe hands of their 3rd party vendor.

 

Ministry of Health has no security guidelines for the DHB's on their website but it doesn't mean there is no framework for them to follow.

 

DHB's are struggling enough for funding and then they have to offload their data collection to a 3rd party vendor, this DHB system is such a waste of time, money and resources. Time for the govt to step in and take that power away or atleast come up with a system that works for everyone. At the moment my info is part of the hack but I now live in Auckland under a different PHO with possibly a different 3rd party vendor. It's like living in a different country.


4367 posts

Uber Geek


  # 2331354 6-Oct-2019 11:51
Send private message quote this post

So, given they must be hiring IT people on 100k plus salaries... how can this happen? 

 

They say the 'computer system' was hacked.   I wonder how, through website vulnerabilities what allowed remote code execution, or is this some kind of remote access password that was guessed.   

 

Or, was their server OS directly hacked using known exploits because they had not been applying updates -- (maybe they are still on windows 7????). 

 

From talking with some people in government departments/councils, there are a multitude of archaic and poorly designed applications and databases. 

 

 


Mr Snotty
8869 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 2331360 6-Oct-2019 12:17
Send private message quote this post

surfisup1000:

 

Or, was their server OS directly hacked using known exploits because they had not been applying updates -- (maybe they are still on windows 7????). 

 

From talking with some people in government departments/councils, there are a multitude of archaic and poorly designed applications and databases. 

 

Medtech32 uses Interbase normally deployed on a Windows Server box inside the practise. I believe Compass Health was using Medtech32 up until recently. This should be closed off to the internet but there is also a SecureME router operating to provide access to the VPN's needed to connect to the ministry of health (also used in Pharmacies).

 

Edit: after some thinking I suspect the hack may have come out of another VPN that may have connected Compass Health together.







1124 posts

Uber Geek


  # 2331380 6-Oct-2019 13:47
Send private message quote this post

Starlith:

 

Ministry of Health has no security guidelines for the DHB's on their website but it doesn't mean there is no framework for them to follow.

 

 

 

 

https://www.health.govt.nz/publication/hiso-100292015-health-information-security-framework

 

 

 

It exists along with the NZISM





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

 
 
 
 


152 posts

Master Geek


  # 2331432 6-Oct-2019 15:22
quote this post

Starlith:

 

Pretty much NHI, name/contact info etc and whatever from the ManageMyHealth portal.

 

Whats really crap is that you can't opt out of your data being collected by the PHO when you enrol into GP's clinics. Another crap things is that there is a high likelyhood it will happen again or has already happened elsewhere until these PHOs start prioritising data security to vendors. But even then you are just mean't to trust in the DHB PHO that your data is in the safe hands of their 3rd party vendor.

 

Ministry of Health has no security guidelines for the DHB's on their website but it doesn't mean there is no framework for them to follow.

 

DHB's are struggling enough for funding and then they have to offload their data collection to a 3rd party vendor, this DHB system is such a waste of time, money and resources. Time for the govt to step in and take that power away or atleast come up with a system that works for everyone. At the moment my info is part of the hack but I now live in Auckland under a different PHO with possibly a different 3rd party vendor. It's like living in a different country.

 

 

 

 

You can request what the MoH hold about you under the privacy act.  You will be surprised about how much medical information they do hold about you....Once  you put together what providers you use, and what prescriptions you have been given, it doesnt take a genius to put it all together soley from the NHI database.


3102 posts

Uber Geek

Trusted
Subscriber

  # 2331606 6-Oct-2019 23:52
Send private message quote this post

marej:

 

You can request what the MoH hold about you under the privacy act.  You will be surprised about how much medical information they do hold about you....Once  you put together what providers you use, and what prescriptions you have been given, it doesnt take a genius to put it all together soley from the NHI database.

 

 

Yes, but your average crim cannot get to the NHI because they don't have access to Connected Health. Unless they compromise a poorly secured third party who does have a Connected Health link... they really need to clamp down on poorly secured endpoints because there's a lot of incredibly sensitive information that you can infer based on certain things (e.g. you could infer that a person is HIV positive or gay if they have a Truvada prescription - and then if that person is in a position of power you could exploit that knowledge).


1545 posts

Uber Geek

Trusted

  # 2331607 6-Oct-2019 23:55
Send private message quote this post

michaelmurfy:

 

surfisup1000:

 

Or, was their server OS directly hacked using known exploits because they had not been applying updates -- (maybe they are still on windows 7????). 

 

From talking with some people in government departments/councils, there are a multitude of archaic and poorly designed applications and databases. 

 

Medtech32 uses Interbase normally deployed on a Windows Server box inside the practise. I believe Compass Health was using Medtech32 up until recently. This should be closed off to the internet but there is also a SecureME router operating to provide access to the VPN's needed to connect to the ministry of health (also used in Pharmacies).

 

Edit: after some thinking I suspect the hack may have come out of another VPN that may have connected Compass Health together.

 

 

 

 

sounds like murfy was involved :P 







1124 posts

Uber Geek


  # 2331680 7-Oct-2019 07:54
Send private message quote this post

Kyanar:

 

marej:

 

You can request what the MoH hold about you under the privacy act.  You will be surprised about how much medical information they do hold about you....Once  you put together what providers you use, and what prescriptions you have been given, it doesnt take a genius to put it all together soley from the NHI database.

 

 

Yes, but your average crim cannot get to the NHI because they don't have access to Connected Health. Unless they compromise a poorly secured third party who does have a Connected Health link... they really need to clamp down on poorly secured endpoints because there's a lot of incredibly sensitive information that you can infer based on certain things (e.g. you could infer that a person is HIV positive or gay if they have a Truvada prescription - and then if that person is in a position of power you could exploit that knowledge).

 

 

 

 

CH has been a rudderless ship for a while now, It's been considered to be phased out and new systems aren't using it except for legacy connections





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

4086 posts

Uber Geek


  # 2331749 7-Oct-2019 10:26
One person supports this post
Send private message quote this post

These guys look like they are totally out of their depth for running an organisation with so much data at risk

 

https://compasshealth.org.nz/Cyber-Security-Incident

 

What happened?....What became clear during the investigation was evidence of previous attacks by cyber criminals dating back to 2016.

 

Despite careful investigation, we cannot say for certain whether or not the cyber-attacks resulted in any individual patient information being accessed. It is likely that we will never know

 

Why don’t you know whether patient data was accessed?We do not have Audit logs back to 2016.

 

Can I find out what information Tū Ora holds on me? Not yet. We do not store your information as one health record. Information is collected for specific claiming and reporting purposes and we don’t have a process to amalgamate the data yet. We are working on this.

 

How can I opt out of my data being collected by my GP? At the moment is not possible to opt out of this arrangement due to system limitations. But we are working with the Ministry of Health and other agencies to consider this for the future.

 

 

 

.....

 

So, basically people are forced to give their data to this bunch of muppets who can't even comply with the basic provisions of the privacy act ( principle 6, access to your own information)....


dt

521 posts

Ultimate Geek


  # 2331750 7-Oct-2019 10:29
Send private message quote this post

Has anyone found a way to check if your personal data was stolen in the breach? 


4086 posts

Uber Geek


  # 2331753 7-Oct-2019 10:36
Send private message quote this post

dt:

 

Has anyone found a way to check if your personal data was stolen in the breach? 

 

 

They can't tell you.....

 

Can I find out what information Tū Ora holds on me? Not yet. We do not store your information as one health record. Information is collected for specific claiming and reporting purposes and we don’t have a process to amalgamate the data yet. We are working on this.

 

 


1057 posts

Uber Geek


  # 2331787 7-Oct-2019 11:24
Send private message quote this post

I can just imagine the phishing spam being written right now - "Give me $350 USD in bitcoin or I'll tell all your facebook friends about your STD".

 

For those that haven't seen it before:

 

https://haveibeenpwned.com/


 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17


Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46


Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51


Facebook Portal to land in New Zealand
Posted 19-Sep-2019 18:35



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.