Public message from Tū Ora Compass Health

Kia ora,

As a Primary Health Organisation, one of our roles is to collect and analyse data that comes from your medical centre.  We do this to improve the care people receive. It helps to ensure people get proactive screening for diseases like cancer and get treatment for conditions like diabetes. This saves lives and helps keep people well. 

On 5 August, our website was attacked as part of a global cyber incident.  As soon as we became aware, our server was taken offline, we strengthened our I.T. security and started an in-depth investigation.   The investigation has found previous cyber attacks dating from 2016 to early March 2019.  We don’t know the motive behind the attacks. We have laid a formal complaint with Police and they are investigating.  

We cannot say for certain whether or not the cyber attacks resulted in any patient information being accessed.  Experts say it is likely we will never know.  However, we have to assume the worst and that is why we are informing people.

Tū Ora holds data on individuals dating back to 2002, from the greater Wellington, Wairarapa and Manawatu regions.  Anyone who was enrolled with a medical centre in that period could potentially be affected. 

Tū Ora does not hold your GP notes, these are held by individual medical centres.  This means the notes made on consultations you have had with your GP are not at risk of being illegally accessed through this cyber attack.  We do not hold the data contained in your patient portal if you have one.

As stewards of people’s information, data security is of utmost importance to Tū Ora.  While this was an illegal attack by cyber criminals, it was our responsibility to keep your data safe and I am very sorry we have failed to do that.

We are now focused on doing everything we can to support people and making sure it can’t happen again.  We have set up a number (0800 499 500 or +64 6 9276930 if dialling from overseas) for people to call to obtain more information.

While we have no evidence that patient data was accessed, we encourage you to be vigilant to unusual online requests.

Cert NZ has more information about staying safe online on their website at www.cert.govt.nz . Please read our FAQs below for more information.

Again, I want to apologise for this situation and the distress it will cause.

Ngā mihi,

Martin Hefford

Chief Executive

Tū Ora Compass Health


Please read the FAQ below to find some answers to questions that you may have about this incident


What happened?
Tū Ora Compass Health’s website was defaced in August 2019 during a widespread global cyber incident, which exploited a vulnerability first identified in early July. The August attack prompted Tū Ora to take our server offline, strengthen our IT security, and an in-depth investigation by the relevant authorities was started. This included the National Cyber Security Centre, Ministry of Health, Police and other agencies.

What became clear during the investigation was evidence of previous attacks by cyber criminals dating back to 2016.

Despite careful investigation, we cannot say for certain whether or not the cyber-attacks resulted in any individual patient information being accessed. It is likely that we will never know.

Who is Tū Ora Compass Health and why does it collect data?
Tū Ora Compass Health is one of 30 Primary Health Organisations (PHO) in New Zealand. One of the roles of a PHO is to collect and analyse general practice data. Medical centres provide PHOs like Tū Ora Compass Health some limited patient data e.g. details of all those who have had immunisations. The data is analysed by Tū Ora and then given back to the medical centres where it is used to help GP teams to provide high quality care e.g. people to contact who have not had immunisations to encourage them to do so.

The reason we collect this information and provide it back to GPs is to improve the care people receive. Ensuring people get proactive screening for diseases like cancer and get treatment for chronic conditions like diabetes. This helps save lives and keep people well.

Tū Ora also delivers some clinical services such as podiatry, mental health, and diabetes care. Patient information collected as part of delivering these clinical services is contained within the Tū Ora IT systems.

Who is potentially affected by this cyber-attack?
People who have been enrolled with a medical centre in the greater Wellington, Wairarapa and Manawatu regions since 2002.

The current population of these areas are around 648,000 people, but including those now deceased or who have moved away from the area, the data covers nearly 1 million people.

Was patient data accessed illegally?
While we have no evidence that access to patient data has occurred, we cannot rule out the possibility that some patient data may have been accessed during the cyber-attack.

What patient data is held by Tū Ora?
Tū Ora does not hold your GP notes, these are is held by individual medical centres. This means notes made on consultations you have had with your GP are not at risk. We do not hold the data contained in your patient portal if you have one.

We hold data that includes, who is enrolled at which medical centre, their National Health Index Number, name, date of birth, ethnicity and address.

We also hold some medical information provided by medical centres to us that we analyse and provide back to the medical centres to support timely quality care. For instance, Tū Ora provides GPs and practice nurses with information on:
• Which children are due for immunisation
• Whether people with diabetes are up to date with all the checks and are being treated according to best practice
• Whether people aged over 65 have had a flu vaccination yet
• Who has been admitted to hospital for a potentially avoidable condition
• Which women are due to be recalled for cervical screening
• Who is due for a heart and diabetes check.

As part of delivering clinical services such as podiatry, mental health and diabetes care, Tū Ora also holds some patient information required for those services.

We also hold some organisational financial data for the practices and other health care providers that we work with e.g. invoices and account details, that enable us to pay for services delivered.

The Piki youth mental health programme data is not included in the information potentially illegally accessed.

We do not hold ACC claims data.


Is there any other information you may have on me?
We hold no banking, credit card or financial information for patients. We do not hold any information such as passport numbers, driver license numbers, or, tax numbers. We only hold a part of a medical record for data analysis, reporting and specific service delivery purposes.


Why don’t you know whether patient data was accessed?
We do not have Audit logs back to 2016.


What is being done to stop this happening again?
As soon as we found out about the August 2019 cyber-attack, we took the affected server offline. We increased security for our systems and contacted relevant authorities immediately, who began a thorough investigation.

We’re currently moving to a new more modern, and more secure digital platform that is in line with international best practice.

Can you guarantee a cyber-attack won’t happen again?
While we are committed to using the best, most up to date security, international experience shows that not even the largest corporations or organisations can guarantee they are immune to criminal activity.

What does this mean for me?
While we have no evidence that patient data was accessed, criminals can use personal data to commit crimes such as identity theft and fraud, by combining the data with information stolen from other sources.


Are people affected by this potentially more susceptible to scams now?
Yes. We are advised that cyber criminals, even if they have no actual information, try to scam people by claiming they have it even when they don’t. Unfortunately, if they do have it, then there is also the likelihood of more scams or attempts to use any information they hold to get more or to obtain money.

What action do I need to take?
While we have no evidence that patient data was accessed, we encourage you to be vigilant to unusual online requests; never share your passwords or account details and follow good online security practices.

This means:
• keeping software up to date
• regularly changing passwords and
• ensuring that you have different passwords for different activities for all online activities.

Cert NZ has more information about staying safe online here .

How can I get more information and support?
If you want to know more, please call our support line on 0800 499 500. If you are calling from overseas please use +64 6 9276930.

If you are feeling distressed and need support, please call the 1737 mental health support line. 1737 is free to call and doesn’t use up any of your mobile data.

How do I report fraud or cybercrime?
Contact the Police if you believe your identity may have already been used in a fraudulent way cybercrime@police.govt.nz

Did I consent for my data to be collected?
Yes. When you enrolled with your GP, the enrolment form includes a consent item around data collection and use of health information.

How can I opt out of my data being collected by my GP?
At the moment is not possible to opt out of this arrangement due to system limitations. But we are working with the Ministry of Health and other agencies to consider this for the future.

Can I trust that information I share with my GP is safe?
GP patient notes are not held by Tū Ora Compass Health. They have not been affected by this cyber-attack. The primary care summary record system that is used by hospital service providers and by after-hours services, is also not affected by this cyber incident.

Cultural concern
If you have specific cultural concerns around health information, please call the support line on 0800 499 500.

Can I find out what information Tū Ora holds on me?
Yes. We will need to go through a process to identify you to ensure we are not providing information to the wrong person, for example where there are people with same/similar names, and then we can provide a report to you of the information we have.

What’s happening to make Tū Ora data safer in the future?
Tū Ora has already moved its public websites to a new platform, and has strengthened its security measures by:
1) Enhancing its anti-virus and email scanning software
2) Implementing Security Incident and Event Management (SIEM) system
3) Implementing a Web Application Firewall (WAF)
4) Established a Security Operations Centre (SOC) for real time monitoring and resolution of cyber threats
We are also part way through a planned movement to more modern more secure infrastructure using Microsoft Azure. The new Tū Ora Microsoft Azure environment will be fully secured, with a defence in depth approach to protecting all our electronic assets.
Microsoft Azure itself is fully compliant with the international ISO 27001 cyber security standard.
Tū Ora will also be using the Advanced Threat Protection features available from our investment in the Microsoft 365 suite of products, including device and application protection, data loss protection and full data encryption.

We expect to have completely moved to the new platform by April 2020.

What about Research Data? Tū Ora holds data relating to ethics approved research studies conducted with academic institutions. Some of this research includes some notes from some GP consultations from some medical centres for some people. Recent research project topics have included: Influenza like illness prevalence, child health, and osteoarthritis prevalence.