New Accuro Policy Administration System - 10 March
We are pleased to announce that phase one of our new policy administration system will go live in the week commencing Monday 13 March. This release marks a significant step in Accuro’s recovery from the cyber incident we experienced before Christmas and provides the foundation for Accuro to move into the next chapter of our growth and development.
New policy administration system benefits
The policy administration system has been purpose built to future proof Accuro and ensures we can respond to changes in the market and member requirements quickly and easily. The system is the core of our day-to-day operations, and facilitates managing member policies, onboarding new members, processing claims, product pricing and development and the overall servicing of our members.
More than just providing a smoother day to day experience, we will now be able to innovate beyond the limits of our previous system, while the reduction of manual processes will free up more time to focus on delivering quality customer experiences.
Phase one release
Due to the impact of the cyber incident, and the need to get back up and running as quickly as possible, we will be releasing the new system in phases. The first phase involves most of our core member servicing processes (including claims) but other functionality such as the member portal will not be available immediately.
What does it mean for Accuro customers?
The phase one release will not change the way our customers submit claims or pre-approvals currently, but our capacity to process these items will be improved. Premium charging will also return to normal, and you will be able to make changes to policies.
Making changes and submitting claims/pre-approvals
As the member portal will be unavailable in phase one, Members can call us on 0800 222 876 or email firstname.lastname@example.org. The Claim form or Pre-approval form and any supporting documents must be sent to email@example.com to submit a claim or pre-approval. Please note that there will continue to be processing delays while we clear the current backlog.
Updates to premium
There are situations where we have not been able to charge some members the correct premium since the cyber incident. When the new system goes live, premiums will automatically update, and those members will be charged their correct premium from the week commencing 13 March. These situations include:
- New policies that have not been billed before (including transferring to a new policy)
- Changes made to an existing policy on or after 1 November (e.g. adding or removing members, plans, excess, or discounts)
- Suspending a policy or coming off suspension
- Changes made to payment method or frequency on or after 1 November 2022
- Policies which are paid for by manual invoice
- Policies with premium waivers that were due to end
- Policies with anniversaries between 30 November and 12 March
- Policies that pay annually where there were issues with the payment previously (i.e. payment was not received for the previous period or the payment dishonoured)
- Some policies which are part of Accuro workplace health insurance schemes
We will be in contact with members in the coming weeks about how we intend to resolve any difference in premium owing from the last three months.
While we still have work to do, the launch of the first phase of our new policy admin system is a critical step in returning to the high level of customer service that you expect of us as New Zealand’s best little health insurer. Thank you for your patience and continued support.
Update from the Accuro CEO - 24 February
It is now nearly 3 months since the cyber incident occurred at our IT provider, Mercury IT. It has been a difficult period for the team at Accuro while we deal with recovering from the incident, while also doing our very best to continue to service our Members without access to our core systems. I want to express my sincere thanks to all our Members for their support and patience – especially from those who have experienced delays in claim payments.
The good news is that we are now well advanced in our recovery and this will be further accelerated with the first stage of our new policy administration system going live in the coming weeks. While our service will continue to be impacted for some time, we expect the situation to rapidly improve as more of our system functionality comes back online.
I would also like to acknowledge and send our sympathies to all Members who have been impacted by Cyclone Gabrielle. We appreciate that some Members in those affected areas may be facing financial difficulties, so we have established a new Hardship Committee to assist those who need support.
Customer information risk
Our cyber security and IT forensic experts have now completed their detailed evaluation of the Accuro information that was illegally downloaded from Mercury IT’s environment.
This review has confirmed that the downloaded information is limited to a selection of files from Accuro’s finance folders and largely contains financial and commercial information relating to Accuro. As previously advised, this data did contain some member information but, in the majority of cases, this was limited to name and member number. We have directly notified members where we have identified personal information beyond this and advised them of the recommended steps they can take to protect their personal information from misuse. While we have done our best to identify and notify those members, it is possible that we have not been able to identify and contact everyone. We recommend therefore that all members continue to be vigilant for any increase in scams, and check out the advice below which details steps that you can take to protect yourself.
New policy administration system and premiums
Despite the impacts of the cyber incident we have made significant progress with our new policy administration system. Our stage one release date is planned for March. Due to the impact of the cyber incident and the need to get back up and running as quickly as possible, not all system functionality will be available immediately. We will instead be releasing each new development stage in instalments. Most of our core member servicing functionality will be live in release one which will enable us to start returning to our usual service levels, but there will continue to be claims processing delays while we clear the current backlog. We will provide more details on this as we approach the go-live date.
We have also notified members who had policy anniversaries during the period between the cyber incident and the new system going live. A reminder to those who had anniversaries that, once the new system goes live, your new premium will be applied. At this point, we will also be in a position to contact members about any premiums that have been missed during this period.
Our thoughts are with all of those that have been impacted by the devastation from Cyclone Gabrielle. We recognise that this event will have caused significant distress and, in some cases, financial hardship. To assist those members who may need support with premium payments, we have established an Accuro Hardship Committee. This committee will review individual members’ circumstances and arrange an appropriate response to enable the member to manage their payments and retain their cover during this difficult period.
To contact the Hardship Committee, please email firstname.lastname@example.org
While the last few months have been a very difficult period for Accuro to navigate, I am very proud of what our small Accuro team has achieved and have been touched by the support we have received. It is pleasing to now be well on the way to returning to delivering our usual level of service for our Members.
I look forward to sharing further news on that recovery in the coming weeks. In the meantime, thank you for continuing to put your trust in Accuro.
Chief Executive Officer
Update from the Accuro CEO - 17 January
As you will be aware, 2022 ended on a very challenging note for Accuro following the cyber incident at our external IT infrastructure provider. This resulted in the majority of our systems becoming unavailable and has limited access to our records and files. As we start 2023, those issues are unfortunately still with us and we don’t expect to be back to usual operating conditions until at least the end of February.
Customer Information Risk
We are aware that the third party responsible for the cyber incident has now illegally released online a small set of Accuro data that was obtained in the Mercury IT cyber incident.
We believe that this represents all of the data that was accessed in the incident and that the data is from our commercial and management files, which largely contains financial information relating to Accuro. We are in the process of working with our cyber and IT advisors to analyse this data to identify what personal information it contains. We know that there is some limited member information within some of these files.
We want to reassure you that at this time we have no evidence that this information has been misused. If we discover any personal information that places you at potential risk, we will directly contact you with the specific steps you can take to protect your information from misuse.
The malicious actor involved in the cyber incident encrypted servers held at Mercury IT which resulted in many of our core operating systems becoming inoperable. The Accuro team worked tirelessly in the period leading up to Christmas to stand-up a wide range of manual processes which have enabled us to continue processing and paying claims and, in most cases, continue to collect premiums. However, these manual processes are slower than our usual systems and are causing significant delays in our claims processing, so we do ask for your continued patience as we work through this. We have expanded our claims team with additional resources but, without our systems, it is a slow process and the team are doing their very best. Thank you for your understanding and support.
In terms of premium billing, while we are continuing to process most direct debit and credit card payments, there are some cases where we are currently unable to process payments. This includes those who pay on invoice and some direct debit situations.
Importantly, even if you have not been invoiced or a direct debit not taken, you will continue to be covered and your policy remains in force. We will work to resolve any payment gaps once we are fully back up and running.
Whist dealing with the cyber incident, the Accuro team are also working hard to have our new policy administration system in place by the end of February. I will keep you updated on progress as we near the go-live date.
On behalf of the Accuro team, I want to thank you once again for your support as we work through the impacts from the cyber incident. While it continues to be a challenging time, we have been heartened by the kind messages we have received from many members and advisers which inspires us to push through this and come out as an even stronger Society.
Chief Executive Officer
Update 12 January
Following from our December 22 update, we have now become aware that additional Accuro information has been illegally released online by the unauthorised third party responsible for the cyber incident that impacted our IT provider Mercury IT.
It remains our current understanding that this information is from our commercial, finance and management files and largely contains financial and management information relating to Accuro. We are aware however that this does include some limited member personal information. We are working with our incident response partners and cyber forensic experts to understand the exact nature of this information, and who it belongs to.
We would like to assure you that we have no evidence of any misuse of personal information at this time. If we discover any personal information that places you at potential risk, we will directly contact you with the specific steps you can take to protect your information from misuse.
We are here to support you
The Accuro team remain committed to providing you with ongoing updates as more facts are established and providing you with tailored support and advice in response.
A reminder also that, while we will directly contact anyone at risk, you can also contact IDCARE, New Zealand’s national identity and cyber support community service, who can assist with guidance and advice. To use IDCARE’s services, please visit the Accuro page on the IDCARE website or you can call IDCARE on 0800 121 068.
You can also visit the New Zealand Privacy Commissioner website for further information about your privacy rights and tips to stay protected.
If you have any other queries you can email email@example.com or call us on 0800 222 876.
On behalf of the Accuro team I would like to thank you for your support, patience and understanding as we work through this continually evolving situation.
Update 22 December
Following our update on 20 December and the release of some Accuro data online, we are continuing to work with cyber-security and forensic IT experts to analyse what information has been accessed.
While our current understanding is that the data accessed is from our commercial and management files and largely contains financial information relating to Accuro, we have also identified some member contact details and policy numbers. We would like to assure you that we have no evidence of any misuse of personal information and that, if we discover personal information that places you at risk, we will directly contact you with the specific steps you can take to protect your information from misuse.
However, in the meantime, should you be at all concerned about your personal information following this incident, here are some useful tips to protect yourself:
- check links – take note of what is called a ‘Uniform Resource Locator’ or ‘URL’ when on a webpage that is asking for your login credentials. This is located in the address bar of your web browser and typically starts with ‘https://’;
- take caution – if you are suspicious of the address, contact your service provider to ensure you are logging into the correct Do not provide your login details;
- enable additional protections – enable multi-factor authentication for your online accounts where possible and/or ensure you have up-to- date anti-virus software installed on any device you use to access online accounts;
- mobile phone porting – stay alert for mobile phone carriers indicating that your phone is no longer connected to the network where this is unusual, or you have not instructed your mobile phone carrier to terminate the connection. Where this occurs, we recommend alerting your mobile phone carrier of the issue immediately;
- review Scamwatch guidance – you may wish to review the New Zealand Ministry of Business, Innovation & Employment's Scamwatch guidance on protecting yourself from scams here: https://www.consumerprotection.govt.nz/general-help/scamwatch/;
- remember that it is always good practice to review and not reuse passwords. CERT NZ provides guidance around good password practice here: https://www.cert.govt.nz/individuals/guides/how-to- create-a-good-password/;
- for further guidance about protecting your identity, you may wish to visit the New Zealand Government's ID Theft guidance page here: https://www.govt.nz/browse/law-crime-and-justice/identity-theft/.
A reminder also that you can contact ID Care. To use IDCARE’s services, please visit the Accuro page on the IDCARE website or you can call IDCARE on 0800 121 068.
Update 20 December
Since our last update on 14 December, we have now become aware that the unauthorised third party responsible for the cyber-incident, has released online some information from the set of data relating to Accuro which they illegally downloaded from Mercury IT.
Our current understanding is that this information is from our commercial and management files and largely contains financial information relating to Accuro. We are working with our incident response partners to understand if any personal or member information is in the data released by the unauthorised third party.
What are we doing in response?
We are doing all we can to thoroughly analyse what information has been accessed and released to determine who, if anyone, is directly impacted.
Should we discover that any personal information is present we will directly contact anyone deemed to be at risk and advise them of the specific steps they can take to protect their information from misuse.
As previously advised, we have engaged cyber-security and forensic IT experts and have proactively notified relevant regulatory and government agencies of our IT provider’s incident, including the Office of the Privacy Commissioner. We will continue to liaise with these agencies and take their advice.
We are here to support you
We are committed to providing ongoing updates as more facts are established.
While we will contact anyone directly impacted, we have also proactively engaged IDCARE, New Zealand’s national identity and cyber support community service, who can assist with advice and guidance on how to protect your information.
To use IDCARE’s services, please visit the Accuro page on the IDCARE website or you can call IDCARE on 0800 121 068. There is no cost to you for engaging with IDCARE.
You may also wish to visit the New Zealand Privacy Commissioner website for further information about your privacy rights and tips to stay protected.
While we continue to have no access to many of our core systems, we have managed to stand up a number of our regular services. Many of these are now manual and we are grateful for your patience as things take a bit longer than usual.
Claims, Pre-approvals and policy changes continue to be processed but there are delays. Please continue to email claims and preapprovals directly to firstname.lastname@example.org.
We have begun taking premium payments again but if we could not process your premium for any reason, please be assured that you remain fully covered under your policy.
Please note that our last day in the office for this year will be Thursday 22 December. We will re-open on Monday 9 January. Over this time, we will continue to check our inboxes for any urgent pre-approvals or general inquiries.
Update 14 December
Following our last update on Friday 9 December regarding the cyber incident involving our external IT provider (Mercury IT), we have now become aware that the unauthorised third party responsible for the cyber incident has downloaded a set of data from Mercury IT, which contains information relating to Accuro.
We are working as swiftly as possible to thoroughly analyse the downloaded information to determine what it contains, but this may take some time to complete. At this stage we have not identified any personal or member information in the downloaded dataset, but we cannot rule out this possibility.
What are we doing in response?
As previously advised, we have already engaged cyber-security and forensic IT experts and have proactively notified relevant regulatory and government agencies of our IT provider’s incident, including the Office of the Privacy Commissioner. We will continue to liaise with these agencies and take their advice.
Should we discover that any personal or member information is present in the downloaded dataset we will assess this information to determine exactly what it is and who it belongs to, and we will directly contact anyone deemed to be at risk as a result.
We are here to support you
We are committed to providing you with ongoing updates as more facts are established and providing you with tailored support and advice in response.
While we have not yet confirmed whether Accuro member information is included in the downloaded data, if you have concerns about your information or are seeking guidance on how to protect your information, we recommend you visit the IDCARE website. IDCARE are New Zealand’s national identity and cyber support community service, who can assist you with interim advice.
We thank you for your ongoing patience and understanding in relation to this matter.
Update 09 December
Following our initial update on Thursday 1 December regarding the cyber incident involving our external IT provider (Mercury IT), we want to provide a further update on this situation.
It is likely that you have now seen publicity relating to this cyber-incident and that several of Mercury IT’s clients have been impacted.
Mercury IT is working with forensic experts and Government agencies to understand the nature and extent of the impact and Accuro have also employed our own experts to assist us in managing this incident.
All relevant Government agencies including the Privacy Commissioner and the National Cyber Security Centre have been briefed and are actively involved in this investigation.
At this stage we are working with our cyber security experts to understand what, if any, customer data has been impacted. As we know more, we will continue to communicate directly with our stakeholders as well as updating this page.
For the time being, our systems remain offline which is impacting our services and we ask for your continued patience as we introduce manual solutions until we can get ourselves fully operational.
There will be a delay on premiums paid by direct debit and invoice as well as payment of commissions to advisers. We apologise if your usual payment has not yet been received or transacted. We will contact you before any payments are to be taken. Credit Card, automatic payments and manual payments will continue as per normal.
Accuro members continue to be fully covered under their current Accuro policy, regardless of when their premium is taken.
Pre-approvals and Claims
We are continuing to process claims, but the process is slower than usual. We are currently processing claims we received 5 weeks ago and we are prioritising pre-approvals/claims that members have paid for themselves. Please email any pre-approvals or claims directly to email@example.com.
If it is a pre-approval request, please put “pre-approval” in the subject line so that we can prioritise it. These will be prioritised based on the event date of the upcoming procedure, treatment or consultation, those with a date within the next week will take the highest priority.
Unless urgent, please be patient, as all claims will be processed. Contacting us about the status of a claim will unfortunately slow the process down further.
Phone service during this time may be limited, so please email us at firstname.lastname@example.org if you have any urgent enquiries.
The Accuro team is working incredibly hard to do all we can to support you and all our customers as we continue to resolve this situation.
Update 01 December
Accuro’s external IT infrastructure provider (Mercury IT) has been the victim of a cyber-incident that has prevented access to a number of our core systems. Mercury IT is working with their own forensic experts and Government agencies to understand the nature and extent of the impact. We have also notified the relevant regulatory authorities including the Office of the Privacy Commissioner.
Accuro takes its obligations to protect the privacy and confidentiality of our members personal information very seriously.
At this stage we have no evidence that any Accuro data has been affected, but we cannot rule out this possibility. Our current focus is working with Mercury IT to investigate and understand the situation further. As we know more, we will continue to communicate directly with our members and have set up this information page to provide regular updates.
For the time being, our systems remain offline which will impact services and we request your patience as we work towards a solution.
In the meantime, we are continuing to process pre-approvals, although there will be a delay in processing claims. Please email any pre-approvals and claims directly to email@example.com. If it is a pre-approval request, please put “pre-approval” in the subject line so that we can prioritise it.
If you pay your premium via direct debit, there may also be a delay to this payment being deducted from your account.
The Accuro team is working hard to maintain key services while we work through this issue with Mercury IT. Phone service during this time will be limited so please email us at firstname.lastname@example.org if you have any urgent enquiries.
We will continue to update this page as more information becomes available.