05 October 2019

Media Release from: Tū Ora Compass Health

Tū Ora Compass Health's website was defaced during a widespread global cyber incident in August 2019. The August attack prompted Tū Ora to take its server offline, strengthen its I.T. security, and an in-depth investigation by the relevant authorities was started. This included the National Cyber Security Centre, Ministry of Health, Police and other agencies.

Today we are announcing that investigations have found evidence of earlier attacks dating back to 2016.

Martin Hefford, Chief Executive Officer of Tū Ora Compass Health, said the top priority has been to work with experts to understand the potential implications and immediately identify the steps needed to look after the health and wellbeing of patients.

“As stewards of people’s information, data security is of utmost importance to Tū Ora Compass Health,” said Mr Hefford.

“We are devastated that we weren’t able to keep people’s information safe. While this was illegal and the work of cyber criminals, it was our responsibility to keep people’s data safe and we’ve failed to do that.

“As a PHO, one of our roles is to collect and analyse data that comes from medical centres.

We do this to improve the care people receive, and it helps us ensure people get proactive screening for diseases like cancer and get treatment for chronic conditions like diabetes. This saves lives and keeps people well.”

Tū Ora holds data on individuals dating back to 2002, from the greater Wellington, Wairarapa and Manawatu regions.

The current population of these areas are around 648,000 people, but including those now deceased, or, who have moved away from the area, the data covers nearly 1 million people.

“We are now focused on doing everything we can to support people and making sure it can’t happen again,” said Mr Hefford.

“We don’t know the motive behind the attacks, and we cannot say for certain whether or not the these have resulted in any patient information being accessed, but we have laid a formal complaint with Police.

“Experts say it is likely we will never know. However, we have to assume the worst and that is why we are informing people.”

Tū Ora does not hold GP notes, which are held by individual medical centres and are not at risk.

People are encouraged to be mindful as others may try to take advantage of the situation. If anyone is contacted by email, or called and told someone has their information, they should contact the Police.

A support line has been set up for people wanting further information on 0800 499 500, or, +64 6 9276930 if calling from overseas.

If people are distressed and require more support, they can call 1737. Information is also available on our website www.compasshealth.org.nz.

Primary Health Organisations (PHOs) are charged with collecting some primary health data including demographic and long-term conditions data on behalf of the Ministry of Health.


Media contact

Communications Adviser

Editor notes:

Tū Ora does not hold GP notes (those made during consultations), these are is held by individual medical centres. We do not hold the data contained in patient portals.

The data does include who is enrolled at which medical centre, their National Health Index Number, name, date of birth, ethnicity, and address.  For some people Tū Ora also holds additional clinical information used for health promotion, such as smoking status, for managing chronic conditions like diabetes, or to deliver services.

We also hold some medical information provided by medical centres to us that we analyse and provide back to the medical centres to support timely quality care. For instance, Tū Ora provides GPs and practice nurses with information on: 

·         Which children are due for immunisation;  

·         Whether people with diabetes are up to date with all the checks and are being treated according to best practice;

·         Whether people aged over 65 have had a flu vaccination yet;

·         Who has been admitted to hospital for a potentially avoidable condition;  

·         Which women are due to be recalled for cervical screening;

·         Who is due for a heart and diabetes check.