An exclusive look at internal memos and public filings that suggest systemic cyber weaknesses at NovaHealth
Headline: Internal documents show persistent cyber failures at NovaHealth — regulators open formal inquiry
Quick take
– What happened: Leaked and public records show NovaHealth struggled for months with high‑severity security flaws first flagged in a late‑2024 penetration test (PNH‑2024‑PT1).
– Key pieces: CISO memo dated 2025‑03‑12, internal IT incident logs from Jan–Jun 2025, regulator correspondence (DPA case #2025‑112), and a limited company notice on 2025‑09‑02.
– Why it matters: Delayed fixes, inconsistent disclosures and continuing intrusion attempts raise questions about patient data exposure, governance and possible enforcement by the Data Protection Authority.
– What we’re watching: regulator determinations, follow‑up forensic reports, remediation timelines and any litigation or regulatory fines.
Lead
NovaHealth’s internal papers trace a worrying story: a third‑party test in late 2024 flagged critical weaknesses that remained only partially fixed through mid‑2025.
The company’s own logs and a CISO memo show repeated alerts, stalled remediation tickets and ongoing intrusion attempts. Regulators opened DPA case #2025‑112 after multiple complaints; NovaHealth issued a brief public notice on 2025‑09‑02 that omits technical details present in the internal record.
What we reviewed
Our reporting is based on documents the newsroom verified and cross‑checked against public filings:
– Penetration test: PNH‑2024‑PT1 (late 2024) — high‑severity findings and recommended fixes.
– CISO memo: 2025‑03‑12 — prioritized remediation steps and temporary mitigations.
– Incident logs/ticketing: Jan–Jun 2025 — timestamps, follow‑ups and open high‑priority items.
– Regulator files: Data Protection Authority correspondence and DPA case #2025‑112.
– Contracts/SLA extracts and internal meeting minutes showing decision threads.
Reconstructed timeline (concise)
– Late 2024: External pen test (PNH‑2024‑PT1) identifies critical vulnerabilities in externally facing systems.
– Jan–Mar 2025: Monitoring logs record anomalous access patterns and multiple intrusion attempts.
– 2025‑03‑12: CISO sends memo to CEO recommending urgent remediation and temporary controls.
– Apr–Jun 2025: Partial remediation underway; many high‑priority tickets remain open, with delays attributed to budget and operational constraints.
– July–Aug 2025: DPA receives complaints and issues formal information requests.
– 2025‑09‑02: NovaHealth issues a short public notice acknowledging an incident without the level of technical detail contained in internal files.
Who’s involved
– CISO and internal IT incident response teams — authored memos, tracked tickets and led forensic triage.
– Executive leadership and the CEO — received escalations and debated costs and service disruption.
– Third‑party security firm — produced PNH‑2024‑PT1 and prioritized fixes.
– Compliance/legal teams and external counsel — coordinated regulator engagement and advised on disclosures.
– Data Protection Authority — opened DPA case #2025‑112 and requested documentation.
Key findings
– Persistent exposure: High‑severity findings from late 2024 appear in internal logs through mid‑2025, indicating prolonged windows of potential exploitation.
– Remediation lag: Multiple high‑priority remediation tickets remained open past recommended deadlines; fixes were applied unevenly across systems.
– Inconsistent messaging: Internal severity assessments and technical details don’t match the company’s limited public notice on 2025‑09‑02.
– Forensic gaps: Some evidence snapshots and chain‑of‑custody artifacts were delayed or incomplete, which could complicate attribution and notification decisions.
– Contractual complexity: SLAs and vendor responsibilities muddy where detection and remediation duties lay, potentially affecting liability.
Regulatory and legal implications
– The DPA’s open inquiry (case #2025‑112) may lead to enforcement if the authority finds notification, mitigation or disclosure duties were unmet.
– Delays and documentation gaps increase the risk of fines, mandated corrective orders, or civil claims by affected individuals and partners.
– Insurance coverage, contractual liabilities and investor confidence could all be affected depending on regulator findings and final forensic determinations.
What happens next
– Regulators: The DPA is likely to press for more detailed reports and forensic artifacts; enforcement or remedial orders are possible.
– Company: Expect continued internal remediation, verification scans, follow‑up penetration testing and refined public disclosures as forensic work completes.
– Legal/claims: Counsel and claimant law firms may pursue civil actions depending on the outcome of the regulator’s review.
– Our reporting: We will seek redacted technical reports for independent expert review, pursue sworn statements from key actors, and publish verified updates as new filings and findings become available.
Why this matters to patients, partners and investors
Healthcare data is highly sensitive. Prolonged exposure windows and unclear disclosure practices can increase the risk of identity theft, fraud and reputational damage. Partners dependent on NovaHealth’s security controls may face contractual knock‑on effects; investors will watch for regulatory penalties and remediation costs.
Quick take
– What happened: Leaked and public records show NovaHealth struggled for months with high‑severity security flaws first flagged in a late‑2024 penetration test (PNH‑2024‑PT1).
– Key pieces: CISO memo dated 2025‑03‑12, internal IT incident logs from Jan–Jun 2025, regulator correspondence (DPA case #2025‑112), and a limited company notice on 2025‑09‑02.
– Why it matters: Delayed fixes, inconsistent disclosures and continuing intrusion attempts raise questions about patient data exposure, governance and possible enforcement by the Data Protection Authority.
– What we’re watching: regulator determinations, follow‑up forensic reports, remediation timelines and any litigation or regulatory fines.0
Quick take
– What happened: Leaked and public records show NovaHealth struggled for months with high‑severity security flaws first flagged in a late‑2024 penetration test (PNH‑2024‑PT1).
– Key pieces: CISO memo dated 2025‑03‑12, internal IT incident logs from Jan–Jun 2025, regulator correspondence (DPA case #2025‑112), and a limited company notice on 2025‑09‑02.
– Why it matters: Delayed fixes, inconsistent disclosures and continuing intrusion attempts raise questions about patient data exposure, governance and possible enforcement by the Data Protection Authority.
– What we’re watching: regulator determinations, follow‑up forensic reports, remediation timelines and any litigation or regulatory fines.1
Quick take
– What happened: Leaked and public records show NovaHealth struggled for months with high‑severity security flaws first flagged in a late‑2024 penetration test (PNH‑2024‑PT1).
– Key pieces: CISO memo dated 2025‑03‑12, internal IT incident logs from Jan–Jun 2025, regulator correspondence (DPA case #2025‑112), and a limited company notice on 2025‑09‑02.
– Why it matters: Delayed fixes, inconsistent disclosures and continuing intrusion attempts raise questions about patient data exposure, governance and possible enforcement by the Data Protection Authority.
– What we’re watching: regulator determinations, follow‑up forensic reports, remediation timelines and any litigation or regulatory fines.2
