Cyber Incident Victim: Featherston Medical Centre
Date:
Jan 2016
Location:
New Zealand
Summary
A primary health organization experienced a cybersecurity breach compromising sensitive medical records of approximately one million individuals. The incident involved unauthorized website access and systemic cyberattacks spanning multiple years, exposing patient registration details, National Health Index Numbers, demographic information, addresses, and clinical records including immunization histories, chronic condition data, and screening logs. Organizational financial records related to healthcare providers were also affected. The entity acknowledged responsibility for the security failure despite characterizing the incident as criminal activity, with leadership expressing regret over the data protection shortcomings. In response to the breach, the organization initiated migration to a cloud-based platform to enhance future security measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Tū Ora Compass Health data breach, disclosed on October 5, 2019, resulted from cyberattacks spanning 2016 to March 2019 against the New Zealand primary health organization. The incident began with the August 2019 defacement of Compass Health's public website, which prompted a broader investigation into the organization's IT infrastructure. This investigation revealed multiple historical compromises dating back three years prior. Compass Health—formed through the merger of Capital PHO, Tumai Mo Te Iwi, Kapiti PHO, and Wairarapa PHO—confirmed that attackers potentially accessed sensitive medical records of approximately one million individuals registered with affiliated medical centers across Wellington, Wairarapa, and Manawatu regions between 2016-2019. Exposed data included National Health Index Numbers, full names, birth dates, ethnicity details, residential addresses, and medical center registration status. The compromised systems also contained longitudinal health records such as immunization histories, diabetes monitoring reports, cervical screening data, influenza vaccination records for seniors, and chronic condition management information collected since 2002.
In response to the breach, CEO Martin Hefford publicly acknowledged organizational responsibility for the security failures while characterizing the attackers as cybercriminals. Compass Health initiated migration of its systems to Microsoft Azure's cloud platform as a corrective measure, with completion targeted for April 2020. The organization did not disclose specific containment actions taken during the August 2019 website defacement incident or subsequent forensic investigation. Financial records of partner healthcare providers—including invoices and payment account details—were confirmed as part of the compromised data repository. No ransomware demands or explicit motives for the attacks were detailed in the public disclosure. The breach represented one of New Zealand's largest healthcare data exposures at the time, affecting nearly 20% of the national population across multiple regional health systems administered through the PHO network.