Pinnacle says it does not hold information like GP notes, but does hold personal information such as names, addresses and National Health Index numbers. (File photo) Photo: 123RF
People worried about their health data security can ask a credit agency to put an alert system in place, an expert says.
The expert's advice follows revelations yesterday that Pinnacle Midlands Health is investigating a major cyberattack in which hackers potentially accessed patient data of up to 450,000 people across the North Island.
The network was hacked on 28 September, affecting regional offices and GP practices across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.
The company said although the system breached did not contain patients' clinical notes, it did hold personal information.
Cybersecurity expert Alastair Millar, from Aura Information Security, said the potential for identity theft was a worry for all the people affected, however, Pinnacle had been open about it and was pointing people towards support service IDCARE and the tools available to try and protect their identity.
Pinnacle Midlands Health would not comment on whether it was negotiating with the hackers.
But Millar said it was possible that the hackers could be seeking a large financial sum in exchange or to sell the data on the dark web, as was done in a separate hack on Waikato District Health Board last year.
With people's NHI number and their contact information, hackers could obtain credit cards, take out loans or buy gift cards, he said.
"It's surprisingly common and obviously the credit card companies and other ones [businesses] will work hard to help you but it's not a pleasant experience and it takes some time to sort out."
Patients who were worried can go to the Pinnacle website to get advice on the help that is available, check their credit history with agencies such as Centrix, and get a credit freeze for about three weeks if they believe they are at risk or affected.
The best thing people worried about the security of their health data could do was to approach a credit agency and see if they could get an alert put in place, Millar said.
"So if credit checks or credit are taken out against you, you get an alert and you can then go 'I didn't do that' or 'I did do that' so you know, and that would apply to banking and insurance and any other kind of thing where you're giving your information."
Strong protections for IT systems were available, but the health system was particularly vulnerable because of some old systems that were still in place, he said.
'Patient notes are not compromised'
Pinnacle Midlands Health said it had a "fair indication" of how the major hack occurred but could not yet provide any more details.
Chief executive Justin Butcher said it had been advised by cybersecurity experts not to make this information public.
Analysis was still being done on how many people had been affected, he said.
He told Morning Report he was awaiting the latest information before saying how many people had accessed the 0800 121 068 number that was assisting those concerned they might have been affected.
Medical records were stored in a separate domain that was not impacted, Butcher said.
"So we're confident based on the information we have at the moment that patient notes are not compromised," he said.
The attack comes less than a year after the government announced $75 million in funding to boost cybersecurity in the health system.
Pinnacle had not received any of the latest funding but it was continuing to talk to Whatu Ora Health New Zealand.
Internal and external audits had been done on Pinnacle's systems over the past 12 months and it had also acted on recommendations distributed through the health sector.
"But obviously we always want to ensure we're at the top of it, so we are going to look at that as part of our review."
In May 2021, a hack crippled services across five hospitals including Waikato and those responsible for the ransomware attack dumped large tranches of the DHB's private patient and employee details on the dark web.
