A primary health organisation whose website was hacked in August has found evidence of earlier attacks dating back to 2016.
The incident involves Tū Ora Compass Health which is responsible for collecting and analysing data from medical centres involving disease screening and treatment for conditions including diabetes.
Tū Ora holds data on patients dating back to 2002, from the greater Wellington, Wairarapa and Manawatu regions so nearly a million people in the lower North Island could be affected.
At a media conference in Wellington this morning, Tū Ora Compass Health chief executive Martin Hefford said after the August hack was discovered, the top priority has been to work with experts to understand the potential implications and identify the steps needed to look after the health and wellbeing of patients.
"We are devastated that we weren't able to keep people's information safe. While this was illegal and the work of cyber criminals, it was our responsibility to keep people's data safe and we've failed to do that," Mr Hefford said.
The August hack was part of a global cyber incident. An indepth investigation was launched by the National Cyber Security Centre, Ministry of Health, police and other agencies which uncovered previous cyber attacks dating back to 2016.
It's not yet known whether any patient information was accessed and Tū Ora said it is likely that will never be known.
Tū Ora does not hold GP notes, which are held by individual medical centres and are not at risk.
Mr Hefford said the PHO is focused on doing everything it can to prevent another cyber attack.
Bryan Betty from the College of GPs said a hack of this size is awake-up call for the health sector.
But he said patients' most sensitive health information should not have been compromised, given that GP and nursing notes are not held by Tū Ora Compass Health.
Tū Ora Compass Health is one of 30 PHOs responsible for collecting and analysing general practice data such as patients who have been immunised. The data is then given back to the medical centres where it is used to help GP teams to provide high quality care, including contacting people who have not been immunised and encouraging them to do so.
Tū Ora also delivers some clinical services such as podiatry and mental health care.
Health Minister David Clark said it's unacceptable people's sensitive health data may have been compromised.
He said people have every right to expect their health data is secure and he has reassured the public the government is taking the incident very seriously.
He said the immediate priority is to support patients whose information may have been compromised.
He has also sought assurances from the Ministry of Health that security checks are being done across the health system.
Dr Clark said any vulnerabilities that are identified will be immediately addressed.
National's Health spokesman, Michael Woodhouse, said it's worrying for patients.
He said the Health Minister needs to investigate whether the Tū Ora breach was a Trojan horse attempt to access other goverment agencies.
Last month the government named Tū Ora as one of more than 20 existing underfunded mental health services which would receive a share of $6 million to improve services for those needing mental health support.
Ministry of Health calls in GCSB over attacks
The Ministry of Health said it has been working closely with Tū Ora Compass Health since the PHO became aware of the hack in early August.
Director-General of Health Ashley Bloomfield said before making details of the cyber intrusion public, the ministry wanted to ensure the Tū Ora's information systems were secure and that there were appropriate supports in place for people who may be concerned their information has been accessed.
"We also needed to ensure publicity wouldn't increase the risk of further online harm," he said.
Dr Bloomfield said Tū Ora has strengthened its security following the incident.
Anyone concerned about the incidents can contact the Ministry of Health's call centre on 0800 499 500 or +64 6 927 6930 for overseas callers.
"Additional supports, such as counselling, health advice or other services, have been arranged for people distressed or anxious about the unauthorised access," Dr Bloomfield said.
The Ministry of Health is working with other PHOs and DHBs to check the security of their systems and, if necessary, ensure this is strengthened. Additional monitoring and cyber 'stress testing' of DHB and PHO computer security is underway.
"We have also been working with the Government Communications and Security Bureau's National Cyber Security Centre to investigate this intrusion and check if other PHOs and DHBs might be at risk.
"This work is ongoing and we expect to have an initial assessment in the next two weeks. We are also commissioning further independent reviews of the security of PHO and DHB information systems."
The Ministry of Health and the GCSB believe the testing now underway will identify areas where further action can be taken to strengthen information security measures at PHOs and DHBs.
What data is held by Tū Ora?
- Tū Ora does not hold GP notes or information contained in a person's patient portal; ACC claims data; or Piki youth mental health programme data
- Tū Ora does hold data including who is enrolled at which medical centre, their national health index number, name, date of birth, ethnicity and address
- It holds some medical information provided to it by medical centres, to provide timely care. That means Tū Ora provides GPs and practice nurses with information on: which children are due for immunisation; whether people with diabetes are up to date with all the checks and are being treated according to best practice; whether people aged over 65 have had a flu vaccination yet; who has been admitted to hospital for a potentially avoidable condition; which women are due to be recalled for cervical screening; who is due for a heart and diabetes check
- Tū Ora holds some patient information for delivering clinical services like podiatry, mental health and diabetes care