Full Report
1News reports: A digital medical records data company has been taken offline after some patient records were modified. Some users’ information had been changed, including to say they were deceased. MediMap is used by some health providers in aged care, disability, hospice and the community to accurately record medication doses. Read more at 1News. MediMap... Source
Analysis Summary
# Incident Report: MediMap Patient Record Tampering
## Executive Summary
A New Zealand digital medical records company, MediMap, experienced an unauthorized entry resulting in the modification of patient records. Attackers altered data for some users, including marking them as deceased or changing their names (e.g., to "Charlie Kirk"). The organization took the platform offline immediately upon detection to investigate and restore data integrity, significantly disrupting care providers in the aged care, disability, and hospice sectors.
## Incident Details
- Discovery Date: Sunday afternoon (Date unknown, reported February 24, 2026)
- Incident Date: Began Sunday afternoon (Date unknown, reported February 24, 2026)
- Affected Organization: MediMap (Digital medical records data company)
- Sector: Healthcare / Aged Care / Disability Services
- Geography: New Zealand (NZ)
## Timeline of Events
### Initial Access
- Date/Time: Sometime before Sunday afternoon (Date unknown)
- Vector: Unauthorized entry detected. (Specific initial vector is not publicly detailed)
- Details: The company detected "unauthorised entry" after problems began manifesting.
### Lateral Movement
- [Not publicly specified, but necessary to reach and modify patient records across the system.]
### Data Exfiltration/Impact
- Date/Time: Occurred leading up to or during detection.
- Details: Patient medication records were modified. Specific modifications included:
- Marking some patients as deceased.
- Changing patient names (e.g., to "Charlie Kirk").
- Scope: At least dozens of providers have been affected.
### Detection & Response
- Date/Time: Sunday afternoon (Date unknown)
- Details: MediMap detected the unauthorized entry and immediately took the platform offline, placing it into "maintenance mode" to investigate and ensure data integrity.
## Attack Methodology
- Initial Access: Unauthorized entry confirmed. (Specific method unknown)
- Persistence: [Not specified]
- Privilege Escalation: [Not specified, but required sufficient privileges to modify core patient demographic and medication data.]
- Defense Evasion: [Not specified]
- Credential Access: [Not specified]
- Discovery: [Not specified]
- Lateral Movement: [Not specified]
- Collection: [N/A - Focus was on modification, not theft, though data integrity confirms records were accessed.]
- Exfiltration: [No explicit mention of data exfiltration; the primary confirmed impact was data *modification*.]
- Impact: **Data integrity compromise** through manipulation of medication and demographic records.
## Impact Assessment
- Financial: [Not specified]
- Data Breach: **Data modification** of patient records related to medication doses, status (alive/deceased), and identification.
- Operational: Significant disruption to health providers (aged care, disability, hospice) relying on MediMap for accurate medication recording. Platform taken entirely offline.
- Reputational: High public confirmation regarding changes suggesting patient deaths and insertion of unusual names like "Charlie Kirk."
## Indicators of Compromise
- [No specific forensic IOCs (IPs, hashes, domains) are provided in the source material.]
- Behavioral Indicators: Unauthorized modification of core patient demographic and medication status fields.
## Response Actions
- Containment: Platform taken offline and placed into "maintenance mode."
- Eradication: [Under investigation]
- Recovery: Focus on investigating the scope and ensuring data integrity before restoring services.
## Lessons Learned
- **Criticality of Data Integrity in Healthcare:** Interference with medication and patient status records poses a more severe threat than simple data theft or ransomware, directly impacting patient safety and care continuity.
- **Security Posture for Third-Party Vendors:** Dependence on third-party digital record systems requires robust security controls due to downstream effects on critical care environments.
## Recommendations
- Conduct thorough forensic analysis to determine initial access vector, persistence mechanisms, and whether data was exfiltrated prior to/concurrently with modification.
- Implement strong access controls, ideally including multi-factor authentication for all management and privileged system accounts.
- Enhance logging and monitoring specifically around database write operations affecting critical fields (e.g., patient status, medication records).
- Develop robust data integrity validation and audit trails independent of the main application layer to rapidly detect and roll back unauthorized changes.