Cyber Incident Victim: Accuro Health Limited
Date:
Dec 2022
Location:
New Zealand
Summary
A cyber attack targeting an external IT infrastructure provider compromised systems of health insurer Accuro, potentially exposing customer data and disrupting access to core services for approximately 30,000 policyholders. The breach occurred through a third-party supplier, mirroring incidents affecting other New Zealand healthcare entities including Medical Assurance Society (MAS) and Health NZ/Te Whatu Ora, which similarly experienced data exposure risks via compromised vendors. While the insurer confirmed no direct infiltration of its own systems, the incident restricted operational capabilities and prompted broader concerns about supply-chain vulnerabilities across the health sector. Affected organizations emphasized ongoing investigations and assured customers of direct communication regarding security impacts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 2, 2022, Wellington-based health insurer Accuro disclosed a potential compromise of customer data following a cyber attack targeting an external IT infrastructure provider used by the company. The attack disrupted access to multiple core systems essential for Accuro's operations, as confirmed by a public statement on the insurer's website. Chief Financial Officer Joe Benbow indicated the breach affected approximately 30,000 customers, though the company did not specify which systems or services were rendered inaccessible. Accuro clarified that its own internal networks were not directly breached, with the intrusion limited to the third-party provider's infrastructure. The insurer initiated coordination with the affected vendor to restore system access and assess the scope of potential data exposure, though no evidence of actual data exfiltration or misuse was confirmed at the time of disclosure. Customers were advised to monitor the company's website for updates while Accuro worked to resolve the service disruptions caused by the attack.
The incident occurred amid a cluster of third-party breaches affecting New Zealand healthcare entities in early December 2022, including parallel attacks on Medical Assurance Society (MAS) and Health NZ/Te Whatu Ora's IT providers. While Accuro did not identify the specific type of compromised data, the disclosure emphasized the risk to customer information held by the external vendor. The company maintained operational continuity through alternative measures during the system outages but did not detail these contingency protocols. No ransomware claims or threat actor attributions were disclosed in public statements. The breach notification highlighted supply chain vulnerabilities within New Zealand's insurance and healthcare sectors, with three significant organizations reporting third-party compromises within a five-day period. Accuro's public communications focused on procedural transparency regarding the provider-led incident while affirming the integrity of its own security systems.