Te Whatu Ora Health New Zealand Reveals IT System Breach
Te Whatu Ora Health New Zealand has recently disclosed a breach in the IT system of one of its regional offices that occurred five months ago.
In October, a hacker managed to access and download organizational and potentially sensitive staff information from Te Whatu Ora Central Region.
The compromised data includes general occupational health and safety information as well as sensitive data such as medical assessments and health-related correspondence spanning from 2020 to 2024. The breach affected two Central region districts: Capital, Coast and Hutt Valley, and Wairarapa.
“There is currently no evidence that the impacted information has been shared by the malicious actor or posted online. We are actively monitoring the situation,” stated Te Whatu Ora.
Te Whatu Ora has not yet provided an estimate of the number of individuals affected by the breach. Due to the complexity of the incident, notifying each affected individual has been challenging. The organization emphasized its commitment to protecting the privacy and security of personal information.
The Privacy Commissioner and NZ Police are now involved in the case, with the police planning to press criminal charges against the suspected hacker.
The Larger Trend
This cyber attack comes at a time when Te Whatu Ora is planning to downsize its workforce, including several data and digital positions. The Public Service Association has expressed concerns that such downsizing may not effectively mitigate the risk of IT breaches.
Te Whatu Ora has previously experienced cyber incidents, including a former employee leaking COVID-19 vaccination data of approximately 12,000 individuals to international websites in late 2023. The perpetrator has been charged with criminal offenses by the police.
In 2022, one of Te Whatu Ora’s IT service providers reported a cyber attack that affected around 14,000 data related to bereavement and cardiac services.
An investigation into the misuse of COVID-19 vaccination data highlighted Te Whatu Ora’s inadequate protection of sensitive information shared with third-party service providers.
Following a major cyberattack on the former Waikato District Health Board in 2021, the New Zealand health system operator was advised to enhance its incident management system, systematic logging, and data estate monitoring.
