Privacy Commissioner threatens prosecution for inadequate security of DHB systems

NEWS - eHealthNews.nz editor Rebecca McBeth

The Privacy Commissioner has warned DHBs could be prosecuted for failing to address security failings following news that Waikato DHB patients’ information has been sent to New Zealand media organisations.

An email attachment is thought to be the entry point for a cybersecurity attack on Waikato DHB which caused a full outage of its Information Services on May 18 and is continuing to cause chaos across the region.

Deputy director general data and digital Shayne Hunter has described the attack as "probably the most significant attack that we've had in New Zealand on any organisation". 

The media have since been sent personal and patient information from Waikato DHB.

Privacy Commissioner John Edwards says his expectation is that the DHB would notify and offer support to the individuals identified in that information "without delay".

"We would also expect that the DHB would be actively monitoring for potential host sites on the Dark Web or elsewhere.”

Mr Edwards says his office is not investigating to determine any liability at this stage, but if a DHB is found not to have taken adequate security measures to protect its information systems, it could be liable to any staff member, contractor or patient who suffers harm as a result.

A current-state assessment of DHB assets released in June last year found that IT infrastructure, networks and security were “outdated and not adequate to support the introduction of new systems and to manage the increased cyber security issues”.

“There are multiple versions and customisations of core applications, ageing infrastructure, limited network capacity and devices not fit for purpose. This reduces productivity, increases costs for maintenance and support and increases cyber security risk,” it says.

The Ministry of Health worked with primary health organisations and DHBs to check the security of their systems in 2019 following revelations that health data on more than 900,000 patients may have been illegally accessed as part of a cyber attack on PHO Tū Ora Compass Health.

Director-general of health Ashley Bloomfield said at the time the Ministry was working with other PHOs and DHBs to check the security of their systems and, if necessary, ensure this was strengthened. The MoH was also commissioning further independent reviews of the security of PHO and DHB information systems.

A statement from the Privacy Commissioner says he understands other DHBs may be aware of security vulnerabilities in their systems as a result of the audit.

“Our expectation would be that they should have taken, and if they have not should now take, steps to act on any deficiencies in security.

“If we find that any DHB does not have adequate security, we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions,” Edwards said.

Media outlets have confirmed they will not make the patient information they have received public and have referred it to the Police.

Waikato DHB Chief Executive Dr Kevin Snee acknowledged the concern and anxiety of staff and patients about their data and information and said the majority of individuals identified in the released information have now been contacted.

He says the matter is an ongoing criminal investigation and the DHB is working closely with the National Cyber Security Centre, Government Communications Security Bureau (GCSB), The Privacy Commission and NZ Police to respond, remediate and recover from this incident. 

Priority areas for restoration are; radiation therapy, lab systems, radiology for imaging, result viewer and the patient administration system IPM.

Full manual processes have been implemented across the DHB and work continues to determine how best to support the backlog of patients whose care has been deferred, says Snee. 

Patients are being asked to bring their appointment letter and any other information that they have from their GP or referrer as the DHB does not have access to its clinic booking information.

“This is an extremely serious situation and I am proud of staff who are doing their utmost in maintaining business as usual in an environment that is clearly not usual,” Snee says.