7 Oct 2019

No evidence patients' data has been stolen, health body says

7:38 pm on 7 October 2019

Patients in the lower North Island are being reassured there is no evidence that any of their personal or health information has been illegally accessed.

At media conference explaining hacking of website

Martin Hefford says the Tū Ora board has signed off on spending more than a million dollars to move its website to a modern platform. Photo: RNZ / Charlotte Cook

It was revealed on Saturday that the medical data of up to a million people in the region could be in criminal hands because of the hacking of a health website.

The hacking concerned the public website of a primary health organisation known as Tū Ora Compass, covering Wellington, Kapiti and Wairarapa.

Among the information it holds is names, addresses and national health identifier or NHI numbers on patients.

It also, however, has some information about mental health counselling, sexual health services and lab tests, including concerning sensitive Hep-C.

The Tū Ora Compass chief executive, Martin Hefford, said it understands and accepts if people are distressed.

But he stressed that while the group's website has been hacked, there is no sign at all that such data has been obtained.

"The only reassurance we can give is that currently there is no evidence that any data has actually been accessed illegally. Our public website has been hacked but there's no actual evidence that anyone's data has been exposed."

Mr Hefford said he won't blame under-funding of primary healthcare for the problem, but the group's IT set-up was ageing. "We were early adopters of the use of information for population health improvement and what that means is that we set up systems early and some of our databases and/ or IT infrastructure is now dated."

He said last July the Tū Ora board signed off on spending more than a million dollars to move to a modern platform. "We are moving to a Microsoft Azure data cloud which will be protected by everything that Microsoft can provide in terms of modern protection."

The Mental Health Foundation chief executive, Shaun Robinson, said what happened is a wake-up call for any organisation holding vital personal records. He said: "Sadly, it's a situation where malicious hackers or potentially criminal cyber activity you know, continues to up the ante and those protecting data have to continue to increase their vigilance as well."

A journalist, not Tū Ora, revealed the hacking on Saturday. Jon Duffy, the assistant commissioner of policy and operations at the Office of the Privacy Commissioner, isn't critical of the PHO over that. He said: "Some of the time taken to disclose involved setting up the logistics to support affected individuals."

GPs back handling of data breach

Family doctors also back the PHO's handling of the hacking, said the chair of General Practice New Zealand, Wellington GP Jeff Lowe. "When they found that there was a cyber attack they immediately investigated. They front-footed this and owned up to it and acted in a responsible manner. They've sought good advice ... because they understand the seriousness of this."

The Prime Minister, Jacinda Ardern, said Tū Ora is a non-governmental organisation, and held no hospital data. She said: "What we need to have assurance with is those PHOs that the government's contracting with are fulfilling their obligations and keeping their patients' records safe. DHBs have been working alongside the GCSB [Government Communications Security Bureau] to be able to assure that."

Earlier today, National's health spokesperson, Michael Woodhouse, said the security breach "may have seen information about the mental health, sexual health and other private enrolment information of several thousand past and present patients" of Tū Ora Health accessed and in criminal hands.

The Health Minister, David Clark, responded that New Zealanders could be assured the incident was being taken seriously. Dr Clark added: "I raised this matter with National's health spokesperson last week before it became public because of the sensitivities involved and because security breached occurred from 2016 during National's time in office."

Tū Ora Compass said anyone who is worried should phone 0800 499 500, which has had 167 calls since 3pm Friday, 121 from members of the public.