One of the biggest healthcare providers in New Zealand confirmed over the weekend that it fell victim to a data breach, an incident that may have resulted in the exposure of data on potentially one million patients.

Tū Ora Compass Health, a primary health organization or PHO in New Zealand, acknowledged this weekend that until March this year, it had been victim of cyberattacks dating back nearly three years, from 2016. Another, seemingly separate attack on the PHO's website on August 5 prompted an investigation that yielded knowledge of the other attacks.

In New Zealand, PHOs are set up to support primary care healthcare services, both directly, and through contracted providers.

Upon investigating the Tū Ora Compass breach, the New Zealand Ministry of Health said Saturday that additional healthcare facilities in the country, including Think Hauroa, Ora Toa PHO, and Cosine PHO, may have also had data affected.

Tū Ora admitted that it doesn't have audit logs that span back to 2016 so it's difficult to know for certain if patient data was accessed.

The provider said it’s possible that the data it holds on patients was accessed over the course of the three-year period. Tū Ora holds patient data like who's enrolled at which medical center, patients' National Health Index Number, their name, date of birth, ethnicity, and address. It also keeps track of information that could give an attacker a great deal of context on a patient – and potentially be used in phishing attacks - including who's due for a heart and/or diabetes checkup, which children are due for immunization, who's been admitted to a hospital, and so on.

While the company claims it doesn't store any banking, credit card, or financial data on patients, it does hold some organizational financial data for practices and healthcare providers it works with, information like invoices and account details, that may have also been accessed.

"As stewards of people’s information, data security is of utmost importance to Tū Ora. While this was an illegal attack by cyber criminals, it was our responsibility to keep your data safe and I am very sorry we have failed to do that", Martin Hefford, Chief Executive Officer of Tū Ora, said Saturday.

While having to disclose a breach is always difficult, it's even worse having to acknowledge that attackers may have been accessing patients' data without the PHO's knowledge going back three years.

The facility said in its FAQ that it's planning to rolling out a slew of mitigations to better safeguard data, including deploying a WAF, a web application firewall, SIEM, security incident and event management, system, and SOC, security operations center.

While all of these can work in concert to help block malicious traffic and optimize the aggregation of network traffic, it would prove beneficial for the organization to make data loss prevention a keystone of its next platform as well, something that could help the PHO provide admins with visibility into data, user, and system events, and the ability to discover, monitor and control sensitive data like PHI.