A primary health organisation whose website was hacked in August has found evidence of earlier attacks dating back to 2016.

The incident involves Tū Ora Compass Health which is responsible for collecting and analysing data from medical centres involving disease screening and treatment for conditions including diabetes.

Tū Ora holds data on patients dating back to 2002, from the greater Wellington, Wairarapa and Manawatu regions so nearly a million people in the lower North Island could be affected.

At a media conference in Wellington this morning, Martin Hefford, CEO of Tū Ora Compass Health, said after the August hack was discovered, the top priority has been to work with experts to understand the potential implications and identify the steps needed to look after the health and wellbeing of patients.

"We are devastated that we weren't able to keep people's information safe. While this was illegal and the work of cyber criminals, it was our responsibility to keep people's data safe and we've failed to do that," Mr Hefford said.

The August hack was part of a global cyber incident. An indepth investigation was launched by the National Cyber Security Centre, Ministry of Health, police and other agencies which uncovered previous cyber attacks dating back to 2016.

It's not yet known whether any patient information was accessed and Tū Ora said it is likely that will never be known.

Tū Ora does not hold GP notes, which are held by individual medical centres and are not at risk.

Mr Hefford said the PHO is focused on doing everything it can to prevent another cyber attack.

Tū Ora Compass Health is one of 30 PHOs responsible for collecting and analysing general practice data such as patients who have been immunised. The data is then given back to the medical centres where it is used to help GP teams to provide high quality care, including contacting people who have not been immunised and encouraging them to do so.

Tu Ora also delivers some clinical services such as podiatry and mental health care.

Last month the government named Tu Ora as one of more than 20 existing underfunded mental health services which would receive a share of $6 million to improve services for those needing mental health support.

Ministry of Health calls in GCSB over attacks

The Ministry of Health said it has been working closely with Tū Ora Compass Health since the PHO became aware of the hack in early August.

Director-General of Health Ashley Bloomfield said before making details of the cyber intrusion public, the ministry wanted to ensure the Tū Ora's information systems were secure and that there were appropriate supports in place for people who may be concerned their information has been accessed.

"We also needed to ensure publicity wouldn't increase the risk of further online harm," he said.

Dr Bloomfield said Tū Ora has strengthened its security following the incident.

Anyone concerned about the incidents can contact the Ministry of Health's call centre on 0800 499 500 or +64 6 927 6930 for overseas callers.

"Additional supports, such as counselling, health advice or other services, have been arranged for people distressed or anxious about the unauthorised access," Dr Bloomfield said.

Director-General of Health Ashley Bloomfield, right, addresses the media conference. With him is Shayne Hunter, deputy director-general of digital and data at the ministry. Photo: RNZ / Charlotte Cook

The Ministry of Health is working with other PHOs and DHBs to check the security of their systems and, if necessary, ensure this is strengthened. Additional monitoring and cyber 'stress testing' of DHB and PHO computer security is underway.

"We have also been working with the Government Communications and Security Bureau's National Cyber Security Centre to investigate this intrusion and check if other PHOs and DHBs might be at risk.

"This work is ongoing and we expect to have an initial assessment in the next two weeks. We are also commissioning further independent reviews of the security of PHO and DHB information systems."

The Ministry of Health and the GCSB believe the testing now underway will identify areas where further action can be taken to strengthen information security measures at PHOs and DHBs.

What data is held by Tū Ora? Tū Ora does not hold GP notes or information contained in a person's patient portal; ACC claims data; or Piki youth mental health programme data Tū Ora does hold data including who is enrolled at which medical centre, their national health index number, name, date of birth, ethnicity and address It holds some medical information provided to it by medical centres, to provide timely care. That means Tū Ora provides GPs and practice nurses with information on: which children are due for immunisation; whether people with diabetes are up to date with all the checks and are being treated according to best practice; whether people aged over 65 have had a flu vaccination yet; who has been admitted to hospital for a potentially avoidable condition; which women are due to be recalled for cervical screening; who is due for a heart and diabetes check Tū Ora holds some patient information for delivering clinical services like podiatry, mental health and diabetes care

Main Image: Tū Ora Compass Health chief executive Martin Hefford, left, says the PHO is focusing on ensuring no more data security breaches occur. Board chair Larry Jordan sits alongside Mr Hefford. Photo: RNZ / Charlotte Cook