Up to 1 million New Zealand patients' data breached in criminal cyber hack

Forums › IT Pro and developers › Up to 1 million New Zealand patients' data breached in criminal cyber hack

Beccara

1469 posts

Uber Geek

ID Verified

#257474 5-Oct-2019 10:55

https://www.stuff.co.nz/dominion-post/news/116318497/up-to-1-million-new-zealand-patients-data-breached-in-criminal-cyber-hack

Up to 1 million New Zealanders could have their medical data in criminal hands after cyber attacks dating back years.

Wellington, Kāpiti, and Wairarapa's primary health organisation (PHO) Tū Ora Compass Health confirmed anyone enrolled in a medical centre in the region between 2002 and 2019 could be affected. Manawatū PHO THINK Hauora could also be affected.

While individual GP notes were not hacked, Tū Ora's computer system was. The extent that patient files were accessed was impossible to ascertain, chief executive Martin Hefford said.

Will be interesting to see the fallout from this, PHO's have been getting more and more into data collection and primary care's security is pretty weak. I wonder if the Privacy commissioner is going to make an example out of them

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

1 | 2 | 3

1469 posts

Uber Geek

ID Verified

#2330006 5-Oct-2019 13:17

Some more info here:

https://www.nzherald.co.nz/sport/news/article.cfm?c_id=4&objectid=12273866

He said the review of health-related systems had since found three district health boards vulnerable to cyber attack.

The review identified four hacks: two by cyber "hacktavists" such as Vanda The God, and two others by more "sophisticated" parties.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2331206 6-Oct-2019 08:16

Words cannot express how unimpressed I am, suffice to say that at this point my preferred outcome is public stoning....

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

frankv

5680 posts

Uber Geek

Lifetime subscriber

#2331211 6-Oct-2019 08:33

While individual GP notes were not hacked, Tū Ora's computer system was.

Whilst medical information is not held by the PHO, some does pass through it. I guess that a sophisticated hacker might be able to copy that stream to their own site.

Starlith

208 posts

Master Geek

Trusted

#2331217 6-Oct-2019 09:02

Pretty much NHI, name/contact info etc and whatever from the ManageMyHealth portal.

Whats really crap is that you can't opt out of your data being collected by the PHO when you enrol into GP's clinics. Another crap things is that there is a high likelyhood it will happen again or has already happened elsewhere until these PHOs start prioritising data security to vendors. But even then you are just mean't to trust in the DHB PHO that your data is in the safe hands of their 3rd party vendor.

Ministry of Health has no security guidelines for the DHB's on their website but it doesn't mean there is no framework for them to follow.

DHB's are struggling enough for funding and then they have to offload their data collection to a 3rd party vendor, this DHB system is such a waste of time, money and resources. Time for the govt to step in and take that power away or atleast come up with a system that works for everyone. At the moment my info is part of the hack but I now live in Auckland under a different PHO with possibly a different 3rd party vendor. It's like living in a different country.

surfisup1000

5288 posts

Uber Geek

#2331354 6-Oct-2019 11:51

So, given they must be hiring IT people on 100k plus salaries... how can this happen?

They say the 'computer system' was hacked. I wonder how, through website vulnerabilities what allowed remote code execution, or is this some kind of remote access password that was guessed.

Or, was their server OS directly hacked using known exploits because they had not been applying updates -- (maybe they are still on windows 7????).

From talking with some people in government departments/councils, there are a multitude of archaic and poorly designed applications and databases.

michaelmurfy

meow
13241 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2331360 6-Oct-2019 12:17

surfisup1000:

Or, was their server OS directly hacked using known exploits because they had not been applying updates -- (maybe they are still on windows 7????).

From talking with some people in government departments/councils, there are a multitude of archaic and poorly designed applications and databases.

Medtech32 uses Interbase normally deployed on a Windows Server box inside the practise. I believe Compass Health was using Medtech32 up until recently. This should be closed off to the internet but there is also a SecureME router operating to provide access to the VPN's needed to connect to the ministry of health (also used in Pharmacies).

Edit: after some thinking I suspect the hack may have come out of another VPN that may have connected Compass Health together.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Beccara

1469 posts

Uber Geek

ID Verified

#2331380 6-Oct-2019 13:47

Starlith:

Ministry of Health has no security guidelines for the DHB's on their website but it doesn't mean there is no framework for them to follow.

https://www.health.govt.nz/publication/hiso-100292015-health-information-security-framework

It exists along with the NZISM

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

marej

186 posts

Master Geek

#2331432 6-Oct-2019 15:22

Starlith:

Pretty much NHI, name/contact info etc and whatever from the ManageMyHealth portal.

Whats really crap is that you can't opt out of your data being collected by the PHO when you enrol into GP's clinics. Another crap things is that there is a high likelyhood it will happen again or has already happened elsewhere until these PHOs start prioritising data security to vendors. But even then you are just mean't to trust in the DHB PHO that your data is in the safe hands of their 3rd party vendor.

Ministry of Health has no security guidelines for the DHB's on their website but it doesn't mean there is no framework for them to follow.

DHB's are struggling enough for funding and then they have to offload their data collection to a 3rd party vendor, this DHB system is such a waste of time, money and resources. Time for the govt to step in and take that power away or atleast come up with a system that works for everyone. At the moment my info is part of the hack but I now live in Auckland under a different PHO with possibly a different 3rd party vendor. It's like living in a different country.

You can request what the MoH hold about you under the privacy act. You will be surprised about how much medical information they do hold about you....Once you put together what providers you use, and what prescriptions you have been given, it doesnt take a genius to put it all together soley from the NHI database.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#2331606 6-Oct-2019 23:52

marej:

You can request what the MoH hold about you under the privacy act. You will be surprised about how much medical information they do hold about you....Once you put together what providers you use, and what prescriptions you have been given, it doesnt take a genius to put it all together soley from the NHI database.

Yes, but your average crim cannot get to the NHI because they don't have access to Connected Health. Unless they compromise a poorly secured third party who does have a Connected Health link... they really need to clamp down on poorly secured endpoints because there's a lot of incredibly sensitive information that you can infer based on certain things (e.g. you could infer that a person is HIV positive or gay if they have a Truvada prescription - and then if that person is in a position of power you could exploit that knowledge).

l43a2

1779 posts

Uber Geek

ID Verified

Trusted

#2331607 6-Oct-2019 23:55

michaelmurfy:

surfisup1000:

Or, was their server OS directly hacked using known exploits because they had not been applying updates -- (maybe they are still on windows 7????).

From talking with some people in government departments/councils, there are a multitude of archaic and poorly designed applications and databases.

Medtech32 uses Interbase normally deployed on a Windows Server box inside the practise. I believe Compass Health was using Medtech32 up until recently. This should be closed off to the internet but there is also a SecureME router operating to provide access to the VPN's needed to connect to the ministry of health (also used in Pharmacies).

Edit: after some thinking I suspect the hack may have come out of another VPN that may have connected Compass Health together.

sounds like murfy was involved :P

Beccara

1469 posts

Uber Geek

ID Verified

#2331680 7-Oct-2019 07:54

Kyanar:

marej:

You can request what the MoH hold about you under the privacy act. You will be surprised about how much medical information they do hold about you....Once you put together what providers you use, and what prescriptions you have been given, it doesnt take a genius to put it all together soley from the NHI database.

Yes, but your average crim cannot get to the NHI because they don't have access to Connected Health. Unless they compromise a poorly secured third party who does have a Connected Health link... they really need to clamp down on poorly secured endpoints because there's a lot of incredibly sensitive information that you can infer based on certain things (e.g. you could infer that a person is HIV positive or gay if they have a Truvada prescription - and then if that person is in a position of power you could exploit that knowledge).

CH has been a rudderless ship for a while now, It's been considered to be phased out and new systems aren't using it except for legacy connections

wellygary

8315 posts

Uber Geek

#2331749 7-Oct-2019 10:26

These guys look like they are totally out of their depth for running an organisation with so much data at risk

https://compasshealth.org.nz/Cyber-Security-Incident

What happened?....What became clear during the investigation was evidence of previous attacks by cyber criminals dating back to 2016.

Despite careful investigation, we cannot say for certain whether or not the cyber-attacks resulted in any individual patient information being accessed. It is likely that we will never know

Why don’t you know whether patient data was accessed?We do not have Audit logs back to 2016.

Can I find out what information Tū Ora holds on me? Not yet. We do not store your information as one health record. Information is collected for specific claiming and reporting purposes and we don’t have a process to amalgamate the data yet. We are working on this.

How can I opt out of my data being collected by my GP? At the moment is not possible to opt out of this arrangement due to system limitations. But we are working with the Ministry of Health and other agencies to consider this for the future.

.....

So, basically people are forced to give their data to this bunch of muppets who can't even comply with the basic provisions of the privacy act ( principle 6, access to your own information)....