Cyber Incident Victim: Greytown Medical Centre
Date:
Jan 2016
Location:
New Zealand
Summary
A primary health organization experienced a cyberattack involving website defacement and unauthorized system access, potentially compromising sensitive information of approximately one million individuals. Exposed data included patient registration details, National Health Index Numbers, names, birthdates, ethnicity, addresses, medical histories such as immunization records and chronic condition data, as well as organizational financial information like provider invoices and payment details. The breach, attributed to cybercriminal activity over multiple years, prompted the organization's CEO to publicly acknowledge security failures while announcing migration to a cloud-based platform for enhanced data protection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Tū Ora Compass Health data breach, disclosed on October 5, 2019, stemmed from cyberattacks occurring between 2016 and March 2019 against the New Zealand primary health organization. The incident began with the August 2019 defacement of the organization’s public website, which prompted a broader investigation into its IT systems. This investigation revealed unauthorized access to Compass Health’s networks dating back to 2016, exposing sensitive medical and administrative records. The compromised data included information on approximately one million individuals registered with medical centers in the greater Wellington, Wairarapa, and Manawatu regions between 2016 and 2019. Specific datasets involved National Health Index Numbers, full names, dates of birth, ethnicity, residential addresses, and medical center registration details. The organization also confirmed exposure of clinical records such as immunization histories, diabetes screening results, cervical cancer screening logs, and influenza vaccination records for patients over 65. Financial data related to partner healthcare providers—including invoices and payment account details—was additionally compromised.
Compass Health CEO Martin Hefford publicly acknowledged organizational responsibility for the breach on October 8, 2019, stating the PHO had failed to safeguard patient data despite the criminal nature of the attacks. In response to the multi-year intrusion, the organization initiated migration of its systems to Microsoft Azure’s cloud platform, targeting completion by April 2020 to enhance security controls. The breach affected individuals whose data was held by Tū Ora or its predecessor entities since 2002, including legacy records from four merged PHOs: Capital PHO, Tumai Mo Te Iwi, Kapiti PHO, and Wairarapa PHO. No ransomware deployment or data deletion was reported, with the primary impact being unauthorized access to and potential exfiltration of sensitive health information. The organization did not disclose technical specifics regarding attacker methodologies, initial intrusion vectors, or whether data was confirmed as exfiltrated beyond the system compromises.