Cyber Incident Victim: Kuripuni Medical Centre

The Tū Ora Compass Health data breach, disclosed on October 5, 2019, stemmed from a cyber incident initially detected in August 2019 when attackers defaced the primary health organization's public website. This website compromise triggered a broader investigation into the IT infrastructure of the New Zealand-based healthcare provider, which revealed a series of cyber intrusions occurring between 2016 and March 2019. Tū Ora Compass Health, formed through the merger of four primary health organizations (Capital PHO, Tumai Mo Te Iwi, Kapiti PHO, and Wairarapa PHO), maintained medical records dating back to 2002 for residents across Wellington, Wairarapa, and Manawatu regions. The breach potentially exposed sensitive information of one million individuals who were registered with affiliated medical centers during the 2016-2019 attack window.

Compromised data included National Health Index Numbers, patient names, dates of birth, ethnicity details, and residential addresses. The organization also confirmed exposure of clinical and administrative records such as immunization histories, diabetes monitoring reports, cervical screening results, influenza vaccination records for seniors over 65, and chronic condition management data. Financial records related to partner healthcare providers—including invoices and payment account details—were additionally affected. CEO Martin Hefford publicly acknowledged organizational responsibility for the security failures, stating the breach resulted from criminal activity but emphasizing Tū Ora's duty to safeguard data. In response, the PHO initiated a migration to Microsoft Azure's cloud platform, with completion targeted for April 2020, to modernize its security infrastructure. The organization did not specify whether ransomware, data exfiltration, or other malicious actions occurred beyond the confirmed website defacement and system intrusions.