According to privacy commissioner Waikato DHB should be actively looking for hacked files on the dark web or elsewhere, according to the privacy commissioner.
John Edwards also issued a warning to district health boards around the country that if any flaws are discovered in the Ministry of Health’s 2020 stocktake of health IT systems, they risk being prosecuted if things go wrong.
The region is in the spotlight after hackers gained access to Waikato DHB networks, and personnel are still operating without most IT after more than a week.
According to him, the privacy commissioner has been alerted of the “ransomware intrusion” but is not “investigating to find culpability at this time.”
However, he is closely monitoring the situation and knows “some patient, staff, contractor and other personal information has been distributed to news media organisations by unknown individuals”.
According to his office, the DHB should contact and support everyone named in the material.
“We would also expect that the DHB would be actively monitoring for potential host sites on the dark web or elsewhere.”
Other DHBs may be aware of security weaknesses in their systems found in the 2020 assessment, according to media reports, Edwards added.
If such issues aren’t addressed already, Edwards warns, there’s a risk of criminal prosecution.
If persons are harmed as a result of a DHB’s information systems not being secure enough, the DHB may be held accountable.
“If we find that any DHB does not have adequate security, we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions,” he said.
When asked if any data had been leaked, Waikato DHB chief executive Kevin Snee referenced the files supplied to the media.
He said the suspicion was that it had been released by hackers, and that it had been reported to the police.
“It is a basic contract with our patients that we keep their information private. So it is very upsetting and concerning both for our staff and our patients,” he said.
He had no idea if the similar attack had been launched against other DHBs.
“I don’t think we’re particularly unusual in the way we set up our [IT] infrastructure,” he said.
