25 May 2021

Waikato DHB cyber attack: Patient, staff data taken, says group claiming hack

6:09 pm on 25 May 2021

A group purporting to be responsible for the cyber attack on the Waikato District Health Board (DHB) has sent an email, saying it has personal information of patients and employees.

Waikato Hospital

Photo: RNZ / Simon Rogers

The DHB's entire system crashed a week ago due to a ransomware attack, with some services still down now.

Media organisations were sent the email last night and the cache of material appears to include hijacked information. RNZ referred the email to police.

Waikato DHB chief executive Kevin Snee said the DHB was constrained by what it could say.

"We can't comment as it's a matter of police investigation and we are aware that public commentary can be monitored by the malicious actor so we will not be commenting any further."

Snee said incident response, investigation and remediation was ongoing.

"A number of cyber security experts working with us and the police who are investigating and making sure all leads are followed."

He said a plan was in place if private medical information became public.

"So in these circumstances it is good practice to work with experts in the field and we are working with a company to make sure that all measures are taken by the DHB to protect patients and staff who may have a privacy breach."

Privacy Commissioner John Edwards said his office was continuing to provide advisory support to Waikato DHB and had not yet received any complaints about the breach.

Edwards said police would determine if the email was genuine or not.

He said speculating publicly about the possible harms and outcomes without knowing more would be unhelpful.

RNZ reporter Phil Pennington, who has reviewed the documents to see if they were genuine, told Checkpoint there were dozens of files within files.

He said the documents appeared to include recent data on staff numbers and names, including financial records, contracts and complaints, as well as sensitive patient information.

"It would be a very big excercise indeed to fake something like this, it does appear that they do have sensitive patient information ... there is a lot of it," he said.

The files also included screenshots identifying hundreds of patients and staff, a few individual records, and some documents spelled out diagnoses, and medical information.

RNZ is taking care to limit the number of staff who can access the information, and confined it so it is not accessible on a network.

Waikato University computer science senior lecturer Vimal Kumar said pressure would be on the DHB to retrieve the information, but that begged the question of how much the hackers could be trusted "that they will not make copies and they will just delete all the data once they have the ransom".

"The attackers would like to make a lot of noise about the data and they would want to try and see how much they can agitate the public on this and put pressure on the DHB."

He said the hackers could sell the data to other cyber criminals and it could be used to scam the victims.

"So you are getting an email or getting an actual mail with somebody trying to pretend to be someone and knowing a lot of information about you, because they got all that information from that data breach."

Kumar said regardless of whether a ransom was paid or not, there was no guarantee the data would be secure.

The DHB said current and former patients needed to be very wary of unsolicited communications claiming to be from the DHB, but it did not know of anyone who had received such communication.

Cancer patients requiring radiation treatment were being sent to private hospitals in Tauranga and Wellington for treatment while the DHB's systems are still down due to the cyber attack.

Hospital and community services director Chris Lowry said there was concern from clinical staff about how they would handle new referrals into the system.

This may include sending patients to other DHBs and possibly to Australia.

"So the clinical teams are raising that as an option. We just need to make sure we have worked through insuring we can use all available space within other cancer centres, without displacing any of their patients before we then look at that, and that would certainly be looked at from a national perspective," Lowry said.

Snee denied the DHB was in any way playing down the situation with its failed IT system.

"While the service has coped and people have gone above and beyond actually, there are issues that have emerged as long as this goes on, cancer [treatment] is a set of particular circumstances that we need to address.

"Obviously all of our services are not working as normal and we think it is important that people understand this. The services are trying really hard to deliver the best possible care for patients under very difficult circumstances."

The DHB said while its main phone numbers were now operational, callers could expect delays or call dropouts and should keep trying.

Get the RNZ app

for ad-free news and current affairs