Cyber security incident at Tū Ora Compass Health

7 Oct 2019

Your confidential healthcare information is secure across the Pinnacle network in Waikato, Taranaki, Lakes and Tairāwhati

Pinnacle has been safeguarding the health records our enrolled patients across the Midlands region for over 30 years.

Maintaining your trust and privacy is important to us.

We believe the appropriate use of health information is critical for improving health outcomes and have always encouraged data driven decision making.

The situation faced at Tū Ora Compass in the lower North Island is something no one ever wants to see. They had a sustained breach which involved exploiting a known vulnerability in web server and this took place over a number of years.

No Pinnacle patient information is available via any website and therefore the type of breach experienced by Compass Tū Ora would never have an impact on patient privacy or information security within the Pinnacle network.

We only collect what we need to help you and your whānau. And we only use what we know to improve your health and the health of the community. We look after what we know and keep it secure.

We are consistently upgrading our corporate network and data management processes and protocols to ensure we collect, transport and store data with the best security measures in place.

Pinnacle servers are hosted by Stratus cloud in the Datacom Kapua Tier 3+ data centre, which provides a hosting environment with the same security as key government departments and leading corporate organisations. We have been operating our environment and hosting over half of the network practices here since 2012.

As part of maintaining our environment and processes we recently completed a further privacy impact assessment (PIA) with the Office of the Privacy Commissioner. The PIA gave us assurance we are meeting or exceeding all our legal obligations, ensuring we are fully compliant with the Privacy Act 1993 and Health Information Privacy Code.

Anyone concerned about the incidents can contact the Ministry of Health's call centre on 0800 499 500 or +64 6 927 6930 for overseas callers.

For more information

  • Pinnacle practices should contact their practice support person should they have any further questions or concerns
  • Media contact: Marie Simpson, communication lead, 027 226 6767

Further technical information

At a technical level our environment has dedicated, secure VLANs, VPN’s, firewalls and IDS/IPS in place for our servers – delivering a highly secure, dedicated network environment.

Additional measures we operate include:
  • IP address whitelisting and multi-factor authentication to enable access to any of our cloud services
  • all cloud services are developed and operated on a 'least privilege' basis - meaning that people only have access to the data they need to do their job, and no more
  • robust process of logging all actions taken in our cloud environment, including any login attempts, and any actions associated with a user once they have logged in
  • additionally all logged actions are reported, visualised and reviewed monthly by a Data Governance Group
  • data is encypted at rest (via AES-256 encryption), and any transfer to and from cloud services is secured with SSL
  • all Pinnacle patient data made available to cloud services for reporting is also de-identified.
We use both local cloud (information stored in the Datacom Kapua Tier 3+ data centre) and public cloud storage (information and processes making use of systems operating around the globe) - the cloud is not a web server, and is not subject to the same vulnerabilities.

Through our redesigned services we’ve begun a new partnership with Amazon Web Services (AWS). As global leaders in public cloud services their data centre and network architecture is built to meet the requirements of the most security-sensitive organisations worldwide.