Cyber Incident Victim: Medical Assurance Society
Date:
Dec 2022
Location:
Cocos (Keeling) Islands
Summary
A cyber attack on a third-party after-hours call center provider potentially exposed personal data of members from New Zealand's largest insurer of medical professionals. The breach did not compromise the insurer's own systems, but precautionary measures included suspending the supplier's services and advising password updates. While no data compromise was confirmed, the company established limited after-hours support and committed to direct communication regarding security concerns. The incident highlighted risks associated with external vendors handling sensitive information, prompting an apology and reassurance of the organization's dedication to privacy protections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 1, 2022, Medical Assurance Society (MAS), New Zealand’s largest insurer of medical professionals, disclosed a cybersecurity incident involving a third-party supplier providing after-hours call-center services. The supplier notified MAS of a breach of their systems through a cyber attack, potentially exposing personal data of MAS members who had used the after-hours service. MAS CEO Martin Stokes stated there was no confirmation that member data had been compromised but suspended use of the supplier as a precautionary measure. The company emphasized its own systems remained secure and unaffected by the breach. MAS initiated collaboration with the compromised supplier to address the situation and established a limited internal team to handle after-hours communications during the disruption. Stokes advised members to consider changing passwords for personal accounts despite no evidence of direct compromise.
Founded in 1921 by New Zealand doctors, MAS insures over 80% of the country’s medical professionals and also offers car, house, contents, and life insurance to non-medical clients. The incident exclusively impacted data held by the external call-center provider, with no breach of MAS’s internal infrastructure. Stokes reiterated MAS’s commitment to member privacy and directed individuals with concerns to contact privacy officers via a dedicated email address. The company pledged direct communication with affected parties if security risks were confirmed. This incident occurred amid a series of cyber attacks targeting third-party providers servicing New Zealand health-sector organizations in early December 2022, though MAS’s response focused solely on its own supplier breach without referencing parallel incidents.