Cyber Incident Victim: Carterton Medical Centre
Date:
Jan 2016
Location:
New Zealand
Summary
A primary health organization experienced a cyberattack involving website defacement and unauthorized system access over several years, compromising sensitive data of approximately one million individuals. Exposed information included names, birthdates, National Health Index Numbers, addresses, ethnicity, and medical records such as immunization histories, diabetes checks, cervical screenings, and flu vaccinations for elderly patients; some organizational financial data was also affected. The breach impacted individuals registered with affiliated medical centers across multiple regions. The CEO acknowledged failure to protect data despite criminal origins of the attack, and the organization initiated migration to a more secure cloud platform to prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Tū Ora Compass Health data breach involved unauthorized access to systems spanning multiple years, with cyberattacks occurring between 2016 and March 2019. The primary health organization, formed through the merger of four PHOs (Capital PHO, Tumai Mo Te Iwi, Kapiti PHO, and Wairarapa PHO), discovered these incidents after its website was defaced on October 5, 2019. This public compromise triggered a broader investigation into the organization's IT infrastructure, revealing historical security failures. Compass Health confirmed the breach exposed sensitive medical records of approximately one million individuals registered with medical centers in New Zealand's greater Wellington, Wairarapa, and Manawatu regions during the 2016-2019 period. The compromised data included National Health Index Numbers, full names, dates of birth, ethnicity, residential addresses, and medical center registration details. Additionally, the breach involved clinical records such as immunization histories, diabetes screening results, cervical cancer screening logs, and influenza vaccination records for patients aged 65+. Organizational financial data related to healthcare providers—including invoices and payment account details—was also accessed.
Compass Health CEO Martin Hefford publicly acknowledged the failure to protect patient data, stating the organization was "devastated" by the breach despite its illegal nature. The investigation confirmed attackers infiltrated systems as early as 2016, though the August 2019 website defacement served as the incident's primary detection point. In response, Compass Health initiated migration of its systems to Microsoft Azure's cloud platform, citing enhanced security capabilities. This transition was scheduled for completion by April 2020. The organization did not disclose specific containment measures taken during the investigation or whether data was actively exfiltrated by threat actors. Impacted individuals received notifications about the exposure of their demographic, clinical, and administrative records accumulated since 2002 through PHO operations. No ransomware or financial extortion demands were referenced in the disclosure.