Unknown cyber-criminals sent stolen information to the media to pile on pressure to pay a ransom. RNZ subsequently aired a scoop sourced from it before a court ordered all media to dump the dodgy data. The Privacy Commissioner tells Mediawatch RNZ was unethical and he wants action - but RNZ insists the public interest was well served.
Waikato District Health Board’s operations were paralysed by the cyberattack back in May which took weeks to recover from.
To make matters worse, data including private medical records were harvested by the hackers who demanded money to hand it all back.
While the DHB tried to alert people whose privacy had been breached, media verified the information while reassuring people they were doing it responsibly.
TVNZ News engaged cyber-security expert Daniel Ayers to do it and told viewers its staff did not look at the stolen data themselves.
RNZ told listeners it had “digitally confined” the information and “would not be publishing it”.
“Well done to the media for not using it,” Resident Doctors Association national secretary Deborah Powell said the next day.
"That will help immensely - the confidence of the staff to carry on, the pressure on them not being as great as that information won't be released,” she told Morning Report.
But the information was not confined from RNZ’s news gathering.
In June RNZ revealed a child - who was not unwell - spent more than nine weeks in a Waikato hospital because Oranga Tamariki failed to find a suitable placement. DHB staff were distressed by the apparent abandonment of the child.
But RNZ had discovered the story in the data posted online by the cyberattackers - and aired it in spite of the earlier promise “not to publish” the stolen information.
“RNZ reviewed the file directory linked on the dark web and opened a small number of folders and sub-folders. This was done to verify that the documents were what they purported to be. In doing so, RNZ opened and read a small number of documents and files - and this is how the documents pertaining to Oranga Tamariki were discovered.”
- RNZ statement
Privacy Commissioner John Edwards was alarmed by what he heard on air:
“This reporting would appear to raise quite significant ethical questions, and I would be concerned to think of journalists trawling through illegally obtained deeply sensitive personal information to identify and generate stories,” the Office of the Privacy Commissioner said in a statement shortly after the story aired.
“The fact that one media source would appear to have done so may prompt others to do so - effectively creating a market for, and monetising, this very personal material,” he said.
One week later Waikato DHB went to the High Court to prevent RNZ and other media using their stolen information for news.
The Court decided (PDF) privacy rights of the patients whose information was stolen significantly outweighed any public interest in publication.
But the judgment did not require RNZ to remove its Oranga Tamariki scoop online.
RNZ’s head of news Richard Sutherland said RNZ had already indicated it would not use other documents and RNZ worked with the DHB to reach this agreement.
"RNZ stands by its view that the public interest was best served in bringing the case to light," Sutherland said.
The Privacy Commissioner this week met with RNZ’s chief executive Paul Thompson, who is also RNZ’s editor-in-chief.
“We had a frank discussion and we came away understanding each other’s position,” he told Mediawatch.
But he confirmed he intends to complain about RNZ to the Broadcasting Standards Authority and the New Zealand Media Council.
“I’d like the relevant authorities to examine their standards and codes and see if they are fit for purpose in this modern age,” he said.
“I think it’s really important that the ethical dimensions of this get thoroughly examined because it’s unlikely that this will be the last instance we see of personal information being stolen. It shouldn’t be regarded as being there to identify new stories,” Edwards told Mediawatch.
“This could be a race to the bottom. RNZ has decided to see what it could find and then construct a public interest argument. The oversight agencies - such as the BSA - have a role to play there in setting some ethical limits,” he said.
Yet RNZ had brought to light a child stuck in a hospital and great concern amongst DHB staff. It was another failing at a state agency whose conduct and competence has been a major public issue lately.
Once a news organisation became aware of this, could they really ignore it?
“This is predicated on unethical access to unlawfully obtained information. They just shouldn’t have seen it,” Edwards said.
“If an RNZ journalist walks past an OT office and finds the door is open, should they go in? Once inside if they see a computer terminal turned on, should they sit down and tap away at that?” Edwards asked.
Pushback on privacy
“It was nothing like that at all,” RNZ’s Paul Thompson told Mediawatch.
“Initially we went and looked on the dark web to see whether the material there was the material that had been compromised at the DHB. There’s no way of telling unless you look at it. That’s an important aspect of journalistic inquiry. What we did not do was rove and roam across the database and look into private medical records,“ Thompson said.
“I haven’t had to consider something quite like this before. The head of news Richard Sutherland and I had to wrestle with it and we got legal advice to decide that story was in the public interest. But the reporting itself was really careful and judicious - and senior editors guided it all the way through,” he told Mediawatch.
"It is good that the Privacy Commissioner is advocating his position but media companies have to weigh both the public interest and privacy. Many aspects of journalism do cause privacy concerns. That is an essential and unavoidable part of journalism,” he said.
But opinion was not unanimous at RNZ about publishing the story.
“We sought other opinions and challenged ourselves but in the end I was confident - as was Richard (Sutherland, head of RNZ news) - that we had taken what steps we needed to take to ensure we protected the privacy of the individual - and that public interest justified the publication and broadcast,“ he said.
In the 4 August judgement ordering RNZ and other media not to use the stolen data any more Justice Churchman said “publicising the highly confidential and sensitive information that it contains would be a source of immense distress to all individuals whose confidential information is at risk of being so misused”.
Justice Churchman also pointed to the danger of assisting extortionists “by demonstrating to them the willingness of media organisations in particular to utilise stolen confidential data for their own ends”.
Isn't the public interest also harmed by a public service broadcaster creating news out of stolen information - given that the unknown cyberattackers looped the media in in the hope of greater exposure?
“It is a real consideration but it’s not a binary matter in my view that means no journalistic inquiry is justified in the circumstances. It’s something that the journalism profession is going to have to wrestle with and it’s never going to be clear as some people would like. It will come down to how individual media organisations handle particular issues and I think the way we handled this issue, given all the circumstances, was appropriate,” Paul Thompson told Mediawatch.
“We pushed back on the DHB’s request that we take down the stories from the web ... which I think is important. We will have a case if formal complaints go through to the regulatory agencies and we have an open mind about how the debate now develops,” he said.
“It is a leap to say that our judicious reporting of this one particular matter which has high public interest somehow sets a precedent for everyone else - and somehow creates a real risk of looking for private records in the way people have concerns about,“ Thompson said.
What is best practice?
The same day RNZ’s Oranga Tamariki scoop came out, WYNC’s On the Media show pondered The Ethics of Reporting on Data Leaked From Ransomware Attacks - including other cases of ransomware blocking hospitals from accessing their own data.
Ransomware attacks rose by 158 percent in North America between 2019 and 2020, with many hackers turning to the media as an extortion ploy.
“There is no single standard. Every media outlet sort of decides on its own what it feels comfortable doing,” said Kim Zetter, a journalist covering cybersecurity told On the Media.
Exposure of hacked material in news media can also serve the public interest in another way - highlighting the consequences of vulnerabilities that lead to privacy breaches in first place. Arguably that in itself could be an incentive to tighten up systems and make them safer from cybercrime.
So what should media do when confronted with hacked data as part of a ransom bid?
“The first thing is to notify the legitimate custodian of the information so they can take steps to protect it,” Privacy Commissioner John Edwards told Mediawatch.
“That may mean seeking the sorts of court orders that Waikato DHB did last week a bit more promptly. That will take the burden of those difficult judgments away from the media because it would be prohibited by the court,” Edwards said.
Paul Thompson agreed all media need to consider how to handle hacked data because it won't be the last time they confront the problem.
“Journalistic practice does evolve over time and this is one example we do need to think about and see what the BSA and the Media Council think about this matter,“ Thompson said.
“But I think it would be a very sad day if anyone started to develop proscriptive rules that constrained journalism and journalistic freedom,“ he added.