Hacker Claims to Have Medical Details of More Than 1 Million New Zealanders

A hacker working under the name Vanda The God claims to have breached the database of Tū Ora Compass Health and has offered the medical details of 1 million New Zealanders for sale on Twitter, according to the Canterbury, New Zealand Star-News.

The massive hack has left the Ministry of Health unsure of what's been taken, and how much information the hacker now has. However, claims the hacker might have medical, mental or sexual health details have spread and continue to cause concern. Until the breach is fully identified, anyone who had been enrolled at a health center since 2002 may have had information compromised in the hack.

The hack revealed vulnerabilities in the system that date back to 2016. Director-General of Health, Dr. Ashley Bloomfield said the National Cyber Security Centre has been working with New Zealand ever since the vulnerability was first discovered in late August.

Two reviews into the bureau's security—one undertaken on September 21—have been conducted since, and they revealed four breaches: Two by known hackers like Vanda The God and two by what Bloomfield called "more sophisticated sources," though she declined to tell the Star-News who those sources might be.

The Ministry of Health says that the following information has been compromised: who is enrolled at which medical center, their National Health Index Number, name, date of birth, ethnicity and address. It's also possible that information such as smoking status, information about chronic diseases like diabetes, and other conditions useful to and involved in health promotion may have been disclosed during the hack.

A stock photo of a hacker. The medical information of a million New Zealanders may have been compromised by a hack. Bill Hinton/Getty

Tū Ora Compass Health chief executive Martin Hefford told the Star-News the August 5 hack was just one part of a "global cyber incident", which caused an investigation to be opened and the earlier attacks to be revealed.

"We don't know the motive behind the attacks. We have laid a formal complaint with police and they are investigating," Hefford said.

"We cannot say for certain whether or not the cyber attacks resulted in any patient information being accessed. Experts say it is likely we will never know. However, we have to assume the worst and that is why we are informing people," he continued. "While this was an illegal attack by cyber criminals, it was our responsibility to keep your data safe and I am very sorry we have failed to do that. While we have no evidence that patient data was accessed, we encourage you to be vigilant to unusual online requests."

Vanda the God has been linked to a number of other hacks, including the hack of the Randolph County, North Carolina government website, the home page of the city of Tyler, Texas and the New Zealand website for the Institute of Directors. Vanda the God keeps a running list of their previous hacks, linked to from their Twitter account.

Ransomware continues to be a problem. According to Emisoft's Brett Callow, 68 state, county and city entities, 62 school districts and educational establishments, potentially impacting up to 1,051 individual schools, colleges and universities and
491 healthcare service providers have been hit with ransomware attacks.

Updated: 10/7/2019, 11 p.m.: With information about the toll ransomware has taken on the public market.