1 Jul 2021

Data stolen from Waikato DHB during cyberattack may be sold online, expert says

7:26 am on 1 July 2021

An information security expert says patient data stolen from Waikato DHB may be sold online to people trying to take out loans as well as other forms of identity theft.

Waikato Hospital

file image. Photo: RNZ / Simon Rogers

Information taken from the health board and this week posted on the dark web includes patients' records and personally identifiable information such as addresses and copies of passports.

Aura Information Security general manager Peter Bailey said there are marketplaces on the dark web for this kind of information for criminals to use for fraudulent reasons.

Aura saw a lot of this type of theft, especially of sensitive data from hospitals and banks, and the subsequent attempt to resell this data on dark web marketplaces.

"Personally identifiable information where you've got names and addresses and some banking information - they go for anywhere between $6 and $10 per item, whereas a scanned passport could go for $20 or $30," Bailey said.

It was not known how many patients and staff had their information taken in the breach. There are about 435,000 people living in the Waikato DHB area.

Bailey said there was a "fair amount of money" to be made from the sale of private data.

People should be aware identity theft was a possibility and at the higher end of the scale criminals could attempt to take out a mortgage or loan.

"When we see these sorts of attacks happen and people lose their data, it definitely can be a concern," Bailey said.

"Obviously banks are aware this kind of identity fraud is out there and there are a lot of checks and balances in place to try stop that happening... The more information they have, the more likely it is they can set up these accounts. So things like passport information, drivers' licences, name and addresses."

There were other possibilities, such as a leaked phone number or email address being contacted by scammers, he said.

If Waikato DHB patients were concerned, they should change their usernames and passwords on online accounts, keep an extra eye out for phishing and scam emails, and raise the issue with the bank so they were aware the customer's details have been leaked, Bailey said.

Get the RNZ app

for ad-free news and current affairs