Cyber Incident Victim: Medical Assurance Society

On December 16, 2022, New Zealand’s Medical Assurance Society (MAS), the country’s largest insurer for medical professionals, publicly disclosed a cybersecurity incident involving unauthorized access to systems operated by a third-party supplier. The breach occurred through a cyber attack targeting the supplier’s infrastructure, which provided after-hours call-center services for MAS. The third party notified MAS of the intrusion, prompting the insurer to issue a public statement confirming the compromise. While MAS did not specify the exact timeline of the attack or its discovery, the notification indicated recent detection. The incident potentially exposed personal data belonging to MAS members, though the insurer did not detail the types of information compromised or the number of individuals affected. No evidence suggested direct infiltration of MAS’s internal systems, as the breach was confined to the supplier’s environment supporting call operations. MAS did not identify the attacker or disclose whether data exfiltration occurred.

The breach raised concerns about member data security due to MAS’s role in insuring healthcare professionals, though the insurer did not confirm any misuse of information. MAS’s response focused on transparency, promptly informing stakeholders through its public announcement while collaborating with the supplier to investigate the incident. No operational disruptions to MAS’s core services were reported, as the compromise was limited to after-hours call support. The insurer did not outline specific remediation steps taken by the third party or itself beyond the initial notification. Potential impacts remained unclear due to the absence of confirmed data categories exposed or regulatory filings detailing the scope. MAS’s disclosure emphasized the supply chain vulnerability inherent in relying on external vendors for critical functions.