Kia ora Vincent

Thank you for your request for official information. You can expect a
response on or by 5 November 2019.

Nga mihi

OIA Services
Government Services
Office of the Director-General
Ministry of Health
E: [email address]

From:        "Vincent" <[FOI #11391 email]>
To:        "OIA/LGOIMA requests at Ministry of Health"
<[Ministry of Health request email]>,
Date:        13/10/2019 02:48 p.m.
Subject:        Re: Official Information request - Urgent request for
information regarding Compass Health PHO

--------------------------------------------------------------------------

Dear Ministry of Health,

I am yet to receive any acknowledgement this request has been received.
Could you please confirm receipt of my request?

Yours faithfully,

Vincent

-------------------------------------------------------------------
Please use this email address for all replies to this request:
[FOI #11391 email]

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:
[1]https://scanmail.trustwave.com/?c=15517&...

If you find this service useful as an Official Information officer, please
ask your web manager to link to us from your organisation's OIA or LGOIMA
page.

show quoted sections

This e-mail message has been scanned for Viruses and Content and cleared
by the Ministry of Health's Content and Virus Filtering Gateway

--------------------------------------------------------------------------

References

Visible links
1. https://scanmail.trustwave.com/?c=15517&...

Dear Vincent

Thank you for your request for official information, received on 7 October
2019 requesting:

"I am a patient that is affected by the Compass PHO data breach.

I am requesting:

- The names and vendors of any systems involved in this breach.

- A copy of all risks or risk register documents that identify direct or
indirect impacts on patients as a result of this breach, or any other data
breach.

- A copy of any communications plan, internal or external, relating to
this breach.

- All penetration or security tests, performed by a reputable third party
organisation, against health systems held, managed or utilised by PHOs.

- All communications with any external organisation that are providing any
sort or review, advisor, or investigative role in relation to this breach.

- All communications in the past 6 months and documentation relating to
decisions around the audit of access to information held by any PHO.

- Any and all communications to the Minister of Health that includes or
mentions this breach.

I recognise the scope of this request is broad and would ask the request
for risks, and request for any penetration or security tests be
prioritised."
The Ministry of Health has decided to extend the period of time available
to respond to your request under section 15A of the Official Information
Act 1982 (the Act) as further consultation is required.

You can now expect a response to your request on, or before, 26 November
2019.

However, you asked for information about penetrative security testing and
risk to be prioritised. I am able to provide information about these
aspects of your request immediately as follows.

The Ministry has been working with the Government Communications Security
Bureau's National Cyber Security Centre (NCSC) to undertake targeted
assurance work on 600 primary health organisation and district health
board websites to check for similar vulnerabilities which enabled the Tû
Ora Compass Health cyber security breach. The NCSC scanning identified
five websites operated by three DHBs as having potential vulnerabilities.
One of these was a “false positive” where subsequent analysis showed the
vulnerability had been previously patched and was secure. In the other
four instances the vulnerabilities were confirmed and immediate actions
were taken by the affected DHBs to mitigate the risk. 

The Ministry has been advised that none of these websites contained, or
provided immediate access to, confidential health information relating to
patients. As there is no patient information on the sites, because the
risks have been mitigated, to minimise the risk of inadvertently abetting
further illegal activity the Ministry is not currently naming the DHBs or
the websites.

With regard to risk, The Ministry considers that the biggest risk arising
from the Tû Ora incident is the possibility of people being targeted by
scams and phishing attempts, for example malicious actors purporting to
hold sensitive information about a person. The most effective mitigations
for this risk is to remain vigilant, report any suspicious contact or
activity and practice good online security.

The Ministry has undertaken to keep the public informed about the ongoing
assurance work underway to strengthen information security in the health
system. Further information about this work is available here:
[1]https://www.health.govt.nz/news-media/me...

You have the right, under section 28 of the Act, to ask the Ombudsman to
review my decision to extend the time available to respond to your
request.

Yours sincerely

OIA Services
Government Services
Office of the Director-General
Ministry of Health
E: [email address]

show quoted sections

References

Visible links
1. https://www.health.govt.nz/news-media/me...

Kia ora Vincent

Please find attached a letter regarding your request for official
information.

Nga mihi

OIA Services
Government Services
Office of the Director-General
Ministry of Health
E: [email address]

show quoted sections