Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Waikato DHB must investigate data dump 'at pace' says privacy commissioner

Wednesday, 30 June 2021

Privacy Commissioner John Edwards said Waikato DHB information appearing on the dark web was of “great concern”.
Privacy Commissioner John Edwards said Waikato DHB information appearing on the dark web was of “great concern”.

Waikato DHB must investigate “at pace” the extent of a document dump which has seen personal staff and patient information published online, the privacy commissioner says.

On Tuesday, Stuff learnt Waikato District Health Board information had been published on the dark web.

The list of documents suggested it included folders containing patient information as well as information about employees and the DHB’s financial affairs. Stuff has not accessed the data to verify the contents.

Privacy Commissioner John Edwards said the document dump was of “great concern”.

**READ MORE:

* Waikato DHB cyber breach: expect 'sensitive personal' info releases, says privacy boss

* Waikato DHB should monitor dark web for hacked files – privacy commissioner

* DHB attackers likely to threaten to release patient health records, says expert

**

Waikato DHB document dump.
Waikato DHB document dump.

“We don’t know how much data is there, and we don’t know too much about the quality of it.

“So I would expect the DHB to be investigating that at some pace,” Edwards told Stuff.

But, despite several requests from Stuff on Tuesday, Waikato DHB's communications team was unable to organise an interview with chief executive Kevin Snee.

It was not clear how many staff members or patients have had personal information compromised, or how many people the DHB has contacted about it so far.

Edwards said there was a risk that personal information on the dark web could be used for identity theft.

If people knew their data was on the dark web, they could request a credit freeze from credit reporters Centrix, Illion and Equifax, Edwards said.

Waikato DHB could be liable if its systems were found at fault and if people had suffered harm from the personal information being published, Edwards said, but it wasn’t possible to speculate about liability until a proper investigation had been done.

“I don't know yet whether the DHB has taken enough prudent steps to prevent this from happening.

“It’s possible an organisation can take every prudent step in the world but that gets subverted in some way by a dishonest actor.”

The DHB needed to notify all individuals included in the data, and take steps to prevent further distribution of the information, Edwards said.

It was also unclear whether the information had been copied elsewhere, Edwards said.

The crippling cyberattack, which occurred in the early hours of May 18, shut down hospital IT systems, disrupting services for weeks.

Health Minister Andrew Little promised on Monday a “full, independent inquiry” into the attack, in a debate in Parliament.

He said cyberattacks were a “reality of the world”, following the paralysing ransomware attack on the Irish health service recently.

But the inquiry would investigate the DHB’s systems before the ransomware attack and the quality of the response to it, he said.