SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Waikato DHB cyber attack: 'Sense of violation' over data hack claim
Wed, 26th May 2021
FYI, this story is more than a year old

There is widespread alarm about what might happen to highly sensitive patient and staff information from Waikato District Health Board, that hackers claim to have obtained.

A group purporting to be responsible for last week's cyber attack has emailed some media saying it has personal information of patients and employees.

Scores of official looking records and documents containing names, phone numbers, and addresses of patients and staff have been released.

The email and its contents have been referred to the police.

Minister of Health Andrew Little is refusing to front, only issuing a statement saying ransomware attacks are a crime, and that he has been in touch with the Waikato DHB Commissioner Dame Karen Poutasi "about any assistance the DHB requires to support people whose information may have been held in the DHB's systems".

"There is an active police investigation. Other agencies such as the NCNS (National Cyber Security Centre) and the Privacy Commissioner continue to support the DHB," the statement said.

Cyber experts say the danger is the hackers could sell the data to other cyber criminals, which could then be used to scam the victims, but whether a ransom was paid or not there was still no guarantee the data would be secure.

Patients' Rights chairperson Carolyn McKenzie said it was a "very serious matter" that could have a huge impact on someone's life.

"For instance, somebody who perhaps has had a child, they haven't disclosed to family members, or have had other more intimate surgeries that they would rather keep to themselves, that can have an impact on the way in which the rest of the family receives them or or treats them," McKenzie said.

There was "a sense of violation when you realise that somebody is using your information to advantage themselves... a deep sense of betrayal for those patients who have been so exposed".

There was no way of compensating for that kind of breach, she said.

"How could you possibly compensate somebody? For that?

"No doubt, there will be some small financial compensation here and there for some people, but really, there isn't any way to compensate... they can only try and improve the security measures that they have on these things."

National Secretary for APEX Union and the Resident Doctors Association, Deborah Powell, said it was "just low-life behaviour".

"And can I just say, well done to the media for not using it, because this is this is patient and staff information that is confidential... we mustn't buy into releasing that sort of information publicly. It's just wrong," Powell said.

For medical staff the confidentiality of patient information "goes to the heart of the relationship... it's our bread and butter", she said.

If patients did not feel comfortable and confident sharing such highly personal information, doctors could not do their job.

For staff to see others disrespecting something "that fundamental to the health care relationship" would be quite upsetting, she said, "probably even more upsetting than their own private information".

Staff at the DHB were already dealing with the stress of the fallout of having the whole IT system compromised, and Powell said the way they "act, the way we react is important here".

"From the point of view of the media having received the stuff but not using it, that will help immensely - the confidence of the staff to carry on, the pressure on them not being as great as that information won't be released.

"That will help. That will help a lot."

In his statement Little encouraged anyone in the Waikato region concerned about their personal information to call the special response line 0800 561 234, which reopened at 8.30 this morning, and "anyone who needs to talk" could call the free counselling service 1737.

Waikato DHB chief executive Kevin Snee said the DHB was constrained by what it could say.

"We can't comment as it's a matter of police investigation and we are aware that public commentary can be monitored by the malicious actor so we will not be commenting any further."

The files

RNZ reporter Phil Pennington, who has reviewed the documents to see if they were genuine, told Checkpoint there were dozens of files within files.

The documents appeared to include recent data on staff numbers and names, including financial records, contracts and complaints, as well as sensitive patient information, Pennington said.

"It would be a very big exercise indeed to fake something like this, it does appear that they do have sensitive patient information ... there is a lot of it."

The files also included screenshots identifying hundreds of patients and staff, a few individual records, and some documents spelled out diagnoses, and medical information.

RNZ is taking care to limit the number of staff who can access the information, and confined it so it was not accessible on a network.