IT companies allege that one of New Zealand’s largest networks of doctors and nurses has been storing hundreds of thousands of sensitive patient records, without express consent.

Four healthcare IT companies are warning that one of New Zealand’s largest networks of family doctors, nurses and general practice teams has been storing hundreds of thousands of patient records containing personally identifiable information (PII) – without the knowledge or consent of the data subjects.

“ProCare Health has been storing [PII] including names, addresses, financial information, clinical data and medication histories in a database called ‘Clinical Intelligence System,'” wrote four healthcare companies in a letter Tuesday to New Zealand’s Privacy Commissioner, obtained by the New Zealand Herald.

The four – HealthLink, Medtech Global, myPractice and Best Practice Software New Zealand – claim that up to 800,000 patients’ medical data is at risk, though they acknowledged that they didn’t know the full extent of the data collection.

“Amassing hundreds of thousands of patient records in a single database increases the risk of compromising patient data should a breach occur,” Onyeka Jones, product manager at Tripwire, told Threatpost. “To ensure patient care and safety, healthcare organizations must go beyond simply being compliant with security frameworks and ensure that their environment is duly protected against unauthorized changes and misconfigurations, which can make their environment susceptible to a cyber-attack. Given the increased cyber-attacks against healthcare organizations, it is simply no longer sufficient to be merely be compliant with security frameworks.”

The firm in their letter also allege that most patients “seemed unaware of the ProCare database.” That could be a violation of the New Zealand Health Information Privacy Code, which, similar to HIPAA in the U.S., stipulates how health information is collected, used, held and disclosed by health agencies.

“At a time when attitudes towards patient privacy are shifting in favor of giving greater protections to the individual, here is an organization that has no direct patient relationship asking doctors to help it amass all the patient records it can get access to,” they wrote.

ProCare Health isn’t taking the allegations in stride, saying in a media statement that “Patients should understand from the enrollment form that identifiable information is shared with the [primary health organization] (PHO) for the purposes stated. The PHO has strict procedures to ensure that individual patient privacy is protected and uses the data for improving healthcare provision and planning…ProCare takes very seriously the care of both patients and their records and has very robust frameworks and processes in place to ensure all legislation obligations are met.”

The organization’s clinical director, Allan Moffitt, added: “As a PHO ProCare could not function without collecting this data and as an organization owned and governed by clinicians, we take very seriously our obligations to privacy and security of information.”

The Privacy Commissioner said the case was being reviewed.

Aside from the privacy implications, the four healthcare companies also brought up in their letter that holding such a large repository of records in one place could be concerning, given that one point of entry to gain access to all of that data is all that’s required for a hacker to make off with the goods.

Robert Capps, vice president and authentication strategist for NuData Security, said that the consequences could be dire if that happens.

“Stolen medical records can be especially damaging as bad actors can use them for fraudulent claims and then affect a patient’s future healthcare coverage,” he said, in an email to Threatpost.

Mike Simon, CEO of Cryptonite, told us that even so, the amount of information stored wouldn’t be as much of a risk as long as there are safety controls in place – which should be part of the Privacy Commissioner’s investigation.

“The safety of patient records from cyberattacks is not a function of the size of the database but instead the network controls that are in place to protect the data,” he said via email. “If health organizations use existing zero trust toolsets to prevent uncontrolled lateral movement, stealing of credentials, spoofing of legitimate users and network controls to stop reconnaissance, then the risk of breaching a large database of health records virtually disappears.”

And of course, it’s hoped that the database is not kept in an insecure cloud security storage bucket–an area rife with misconfiguration problems that have leaked millions of private records across industries in recent years.