Cyber Incident Victim: Tu Ora Compass Health
Date:
Jan 2016
Location:
New Zealand
Summary
A cybersecurity breach at Tū Ora Compass Health compromised sensitive medical and financial data of approximately one million individuals, stemming from website defacement and broader system intrusions over multiple years. Exposed information included patient names, birthdates, addresses, National Health Index Numbers, ethnicity, immunization histories, chronic condition records, and organizational financial details like provider invoices and payment accounts. The primary health organization acknowledged responsibility for failing to protect the data, which originated from medical registrations across Wellington, Wairarapa, and Manawatu regions. In response to the incident, the entity initiated plans to transition its infrastructure to a more secure cloud-based platform.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Tū Ora Compass Health data breach, disclosed on October 8, 2019, stemmed from cyberattacks targeting the New Zealand primary health organization (PHO) between 2016 and March 2019. The incident gained public attention when attackers defaced the organization’s website on August 5, 2019, prompting a comprehensive investigation into Compass Health’s IT systems. This investigation revealed a pattern of unauthorized access dating back three years, with attackers compromising systems that stored sensitive medical and administrative records. Compass Health, formed through the merger of four PHOs—Capital PHO, Tumai Mo Te Iwi, Kapiti PHO, and Wairarapa PHO—held data on approximately one million individuals registered with medical centers in the greater Wellington, Wairarapa, and Manawatu regions. The exposed records included information collected as far back as 2002, though individuals registered between 2016 and 2019 faced the highest risk of impact. The breach affected National Health Index Numbers, full names, dates of birth, ethnicity, residential addresses, and medical center registration details.
Compass Health confirmed the compromised systems contained extensive health data, including records on long-term conditions, immunization histories, diabetes screenings, cervical cancer tests, and influenza vaccinations for patients over 65. Additionally, organizational financial data—such as invoices and account details for partnered medical practices and healthcare providers—was exposed. CEO Martin Hefford publicly acknowledged the failure to safeguard data, stating the organization was “devastated” by the breach and emphasizing its responsibility to protect patient information despite the criminal nature of the attack. In response, Compass Health initiated a migration of its IT infrastructure to Microsoft Azure, aiming to complete the transition to a more secure platform by April 2020. The organization did not disclose specific containment measures taken during the investigation but indicated the breach prompted a reevaluation of its overall security posture. No ransomware or direct extortion attempts were mentioned in the disclosure, and the incident remained under investigation by cybersecurity and regulatory authorities at the time of reporting.