News Insights: Hack attack puts health details of one million New Zealanders at risk

Cybersecurity experts commented on the data breach involving a hack that placed in jeopardy the medical details of a million people went unnoticed for three years was reported over the weekend:

READ STORY: Hack attack puts health details of one million New Zealanders at risk


News Insights:

Jonathan Deveaux, head of enterprise data protection at comforte AG:

“According to the data breach statement, 17 years’ worth of personal data was potentially accessed not once, but four times before detected.  Unfortunately, there did not seem to be protections placed on the data itself, which means the personal data was left in clear text form.  It’s a good thing that no payment info, tax numbers, passport numbers, nor driver’s license numbers were on the server; otherwise, those data elements would have been exposed as well.

Business leaders at other companies should be asking themselves how long are they keeping personal data in files and databases?  More importantly, is that personal data also stored in clear text form? It seems there may be some technology and business leaders who are still accepting the risk that their data is of no interest to hackers, or their business model is unattractive for threat-actors to access. The PHO data breach, and many other breaches reported, proves that this is not the case.

There are two simple ways to reduce the possibility of data breaches.  First, do not collect and store data. If that can’t be avoided, then use cryptography to protect data. Cryptography for data protection most commonly refers to tokenization and encryption. When deployed effectively, both are successfully defending against and reducing the effects of data breaches. Tokenization, however, has been emerging as a best practice, due to its reduced impact on business processes and operations management.  Organizations should research which techniques best fit their environment.”


Elad Shapira, Head of Research at Panorays:

“This latest breach in New Zealand illustrates how third-party healthcare cybersecurity remains a pressing problem throughout the world. Tu Ora Compass Health was connected to 60 different general practice teams and other health providers, amounting to a breach of up to one million New Zealand patients’ data. Health providers hold some of our most sensitive and confidential data: personal and demographic information, financial statements, health details and insurance policies. Attackers can use this information for identity theft, insurance fraud, financial gain, or even blackmail. Often the best way for hackers to reach this information is through third parties, who have access to healthcare organizations’ data but lack adequate security to guard it. For this reason, assessing and continuously monitoring healthcare organizations’ third-party security is critical.“