Privacy commissioner looks at options after RNZ uses hacked health file for news report

Friday, 30 July 2021

In June, Health Minister Andrew Little promised an inquiry into the Waikato DHB hack.

RNZ has defended publishing a news report based on personal information leaked online by the Waikato DHB ransomware attackers that highlighted the situation of a child in the care of Oranga Tamariki.

Privacy commissioner John Edwards said he might bring the matter to the attention of the Broadcasting Standards Authority or the Media Council, despite news-gathering being exempt from the provisions of the Privacy Act.

RNZ’s report indicated that a child, who it did not name, had been traumatised after being left in the care of a Waikato hospital for nine weeks by Oranga Tamariki despite not being unwell, after a placement had broken down.

Edwards issued a statement on Thursday blasting RNZ for reporting personal information from documents leaked online after the Waikato DHB hack.

* Fear patient data may have been stolen from Auckland DHBs

* Waikato DHB cyber breach: expect 'sensitive personal' info releases, says privacy boss

“This reporting would appear to raise quite significant ethical questions, and I would be concerned to think of journalists trawling through illegally-obtained deeply sensitive personal information to identify and generate stories,” he wrote.

“The fact that one media source would appear to have done so may prompt others to do so – effectively creating a market for, and monetising, this very personal material,” he wrote.

RNZ head of news Richard Sutherland says the broadcaster stands by its decision to publish report based on document leaked by ransomware attackers.

Brett Callow, a threat analyst with cyber-security company Emsisoft said ransomware attackers did attempt to “weaponise” the media, sometimes supplying them with leaked documents that showed victims in a bad light.

The criminals' aim likely isn’t only to influence the outcome of the current incident, but to influence other incidents too, he said.

“The more pain victim organisations are made to feel, and the more lawsuits are launched against them, the more likely it is that future victims will pay to prevent the same thing happening to them.

“On the other hand, without the involvement of the press, the full extent of some incidents would never be known,” he said. “In fact, it may never even come to light that there had been an incident.”

Edwards clarified to Stuff that his concerns were not about the risk that RNZ’s report could assist ransomware attackers by encouraging victims to pay ransoms, and were instead entirely based on privacy.

“Any information which has come from the Waikato DHB ransomware breach is likely to be sensitive personal information, which is likely to cause a great deal of anxiety to the people affected.”

Edwards said he was considering bringing RNZ’s report to the attention of the Broadcasting Standards Authority or the New Zealand Media Council.

“The fact that the news media in relation to its news-gathering is exempt from the Privacy Act does not mean that I am precluded from making statements about practices which have an impact on the privacy of New Zealanders,” he said.

Privacy commissioner John Edwards says RNZ’s reporting raises “quite significant ethical questions” and sent mixed signals on what action he could take.

Nor did it preclude him from approaching the media bodies in his capacity as privacy commissioner about the matter, he said.

Edwards indicated he was also looking at some options to take direct action under his own statutory powers, before hesitating on that point and then declining to confirm that.

The Media Freedom Committee, which represents the senior editorial leadership of the country's major news and current affairs organisations, has been approached for comment.

RNZ head of news Richard Sutherland said RNZ did consider the risk that its report could play into the hands of ransomware attacks by highlighting the consequences that can follow from victims choosing not to suppress hacked information by paying ransoms, as well as the privacy issues.

“We did think very carefully about all those aspects and the final decision was that on balance it was important to get that story into the public domain.”

Sutherland said he didn’t know if the Waikato DHB hackers would be pleased by that choice.

“Are they pleased? I don’t know.

“I am not sitting here worried about what the hackers are thinking, I am worried about a young child that has been hung out to dry by a system that is supposed to look after them.”

Sutherland noted RNZ’s report had resulted in an apology from Oranga Tamariki and the promise of an investigation by Minister for Children Kelvin Davis.

“On balance, I stand by and RNZ stands by the decision to publish,” he said.

Sutherland disputed Edwards’ characterisation of it trawling through documents.

The document containing information about the child was one of a “small number of documents and files” that RNZ had accessed after they were leaked on the dark web by the attackers, he said.

RNZ had originally accessed those documents to confirm the authenticity of the leak, although he agreed it had then used that document for the different purpose of its news report.

Edwards was “more than welcome” to access any avenues that he thought he could to register his complaints or displeasure with RNZ’s reporting, he said.

Waikato DHB has indicated it expects to be able to provide more information about the ransomware attack and its response by October 28, by which time it expects its investigation to be complete.

At the moment it still did not have full access to all its IT resources, it said in response to an official information access request.

HealthAlliance, which provides IT services for the country’s four northern district health boards, including Auckland DHB, said it was continuing to investigate an incident involving “unusual activity” on its IT systems.

“The investigation remains ongoing and there are no further developments to add,” a spokesman said.