Waikato DHB’s information systems were affected by a cyber security incident on Tuesday, 18 May 2021. This incident affected services at Waikato, Te Kuiti, Taumarunui, Thames and Tokoroa hospitals and our community-based services.
While we continue to receive support from expert cyber security professionals, we wanted to provide an update on progress since our last statement was published on our website.
Waikato DHB also wants to take the opportunity to sincerely apologise to the Waikato community for the added stress this incident caused during a challenging time for all. We also thank everyone for their patience and support while we worked through this cyber incident.
As soon as Waikato DHB became aware of the incident, our incident response plan was implemented to get our digital systems back up and running as quickly and securely as possible.
This included partnering with Government agencies (e.g. the National Cyber Security Centre) and several New Zealand and international incident response specialists to ensure we retained integrity across Waikato DHB’s digital environment.
However, the incident response process took time as Waikato DHB is a complex organisation serving over 400,000 patients, providing specialist tertiary hospital services and operating several supporting secondary hospitals and facilities.
For example, Waikato DHB maintains a considerable number of servers, thousands of end point devices and uses a significant number of applications for specialist clinical services. All these systems required cleansing or restoration, despite server operating system patches being up to date at the time of the incident.
Waikato DHB has since progressed well through the recovery phase of the incident response process, with most systems returned to full functionality or on standby to be reconnected. This has been a rigorous process to ensure only secure and protected systems were recommissioned in “waves” for use by Waikato DHB following the incident.
Currently, our understanding is that the incident has been successfully contained and no longer presents an ongoing risk from a digital systems perspective. Further, Waikato DHB is also not aware of any stolen data being misused beyond the attempt to extort a ransom from Waikato DHB. However, this is our current understanding, and we are monitoring this closely.
While the primary focus of the incident response process so far has been containment and the restoration of Waikato DHB digital systems, the investigation’s focus has now shifted to reviewing forensic evidence on the sections of Waikato DHB’s digital network that were affected. The findings from this investigation will be used to improve Waikato DHB’s information security resilience as we move forward from the incident.
Information Security Improvements
Waikato DHB continues to strengthen and improve technical and operational security measures to deliver safe healthcare services to the Waikato community.
To achieve this, Waikato DHB has introduced improved security controls across its digital systems, including process controls. Separately, several security reviews have been undertaken, and as a result, Waikato DHB is further strengthening the external perimeter of its digital network.
This is part of a continuing process to uplift operational, technical and governance frameworks related to information security. For example, Waikato DHB continues to switch to cloud-based services following a Government directive requiring state health providers to adopt such technologies from vendors vetted and approved by the Department of Internal Affairs.
Further, Waikato DHB also continues to recruit IT specialists to strengthen Waikato DHB’s information security posture. These steps align with the direction of the Ministry of Health to progressively modernise the state healthcare sector’s digital environment.
Finally, Waikato DHB continues to maintain compliance with the Health Information Security Framework to drive increased information security and maturity as assessed by security audits.
Together, these measures are an example of how the incident response process will inform Waikato DHB’s information security strategy. Waikato DHB will also work with Government agencies, including other District Health Boards, to share the lessons learned from the incident to support the continuous improvement of New Zealand’s cyber security maturity in the healthcare sector.
In addition to working with private New Zealand and international cyber security experts, Waikato DHB’s incident response process has involved the Police, the Privacy Commissioner, and the Government Communications Security Bureau (specifically the National Cyber Security Centre) in investigating this incident.
Waikato DHB has also worked with the Inland Revenue Department Te Tari Taake, Department of Internal Affairs Te Tari Taiwhenua and Waka Kotahi NZ Transport Agency to inform them of the impacts of the incident so that they can monitor for any attempted misuse of stolen data and put any necessary protective measures in place.
The collaboration with such agencies has informed Waikato DHB’s incident response process and ensured that all appropriate steps were taken during the response process.
Immediately following the incident, Waikato DHB took steps to secure our systems. With the support of our internal IT team and external cyber experts, we initiated an investigation to contain the incident’s impacts and begin the restoration process as quickly as possible. As part of this process, Waikato DHB also notified the Police and the National Cyber Security Centre that the incident appeared to have been caused by a malicious cyber actor.
Waikato DHB remains conscious that malicious cyber actors monitor public commentary on incidents. For this reason we are not providing additional details regarding the incident’s cause, methods used, the value of the ransom or who may be responsible.
Similarly, the costs of the incident will remain confidential. In part, this is to prevent any malicious actors from evaluating the commercial impacts of ransomware for New Zealand District Health Boards and targeting any other organisation.
However, what we can say is that the incident was typical of a ransomware event. That being malicious software was used to “lock-up” Waikato DHB’s data (e.g. information and files) and interrupt digital systems. Waikato DHB then received a ransom demand to unlock the data and the digital systems.
During this “lock-up” period, Waikato DHB did not pay the ransom to the malicious cyber actor. Instead, for the most part, Waikato DHB restored its systems from backups recorded the night before the incident.
Waikato has been aware of its obligations under privacy laws (including the obligation to notify affected individuals) since it became aware of the incident. For example, Waikato DHB immediately informed the Privacy Commissioner about the incident in accordance with the incident response plan.
Waikato DHB has also continued to provide updates and engage in consultation with the Privacy Commissioner to ensure that appropriate steps were taken to protect the privacy interests of the Waikato community and that helpful support and guidance was made available to those with any questions or concerns.
In terms of notifications to affected individuals, Waikato DHB has now issued over 80% of the total number of privacy notifications. These notifications have been tailored with the guidance and notification methods used, reflecting the level of support required for a particular individual.
As Waikato DHB begins to complete the notification process, the Privacy Commissioner will continue to be updated with the notification progress and the level of support provided to the community who have any questions or concerns regarding their personal information.
More generally, following the data disclosure event, Waikato DHB has also obtained High Court orders to protect any personal and confidential information that was stolen from further access or publication by media agencies and others.
We would also like to remind the community that support remains available to anyone who may have any questions or concerns about their personal information following the incident. Listed below are some of the organisations (including their contact details) where further support and guidance can be obtained.
Again, Waikato DHB sincerely apologies to the Waikato community for the added stress this incident is causing during a challenging time for all.
Below are some of the organisations that are here to support you should you have any questions or concerns:
1. Waikato DHB
If you have any other questions after reviewing this information in this letter, please do not hesitate to contact us at firstname.lastname@example.org. Alternatively, you can contact us at our helpline on 0800 561 234. The helpline is available 24 hours a day, Monday to Friday.
If you have concerns about your information or are seeking additional ways to protect yourself, you may wish to contact IDCARE, New Zealand’s national identity and cyber support community service. IDCARE is a registered New Zealand charity that specialises in working with community members to protect and respond to personal information risks.
You can engage an IDCARE case manager via IDCARE’s ‘Get Help Web Form’ at https://www.idcare.org/contact/get-help, where you can arrange a confidential discussion with a professional at a time that suits you. You can also call 0800 121 068 between 10am and 7pm. There is no cost to you for engaging with IDCARE.
Alternatively, you may visit IDCARE’s ‘Learning Centre’ for further information and resources on protecting your personal information (https://www.idcare.org/learning-centre).
3. Privacy Commissioner
The Privacy Commissioner has been notified about this incident. If you have further concerns, you have the right to complain to the Privacy Commissioner.
You may wish to visit the New Zealand Privacy Commissioner website for further information about your privacy rights and responding to cyber security incidents (https://www.privacy.org.nz/your-rights/your-privacy-rights/).
4. Kaitiaki support
A roster has been set up to ensure Māori patients and their whanau have 24/7 access to Kaitiaki support. Phone 021 806 171 or ask at the ward reception.
5. Other Key contacts
- Waikato DHB general enquiries, including outpatient clinics: (07) 839 88 99 or 0800 276 216
- Privacy questions: 0800 561 234
- Non-urgent health questions: Healthline 0800 611 116
- Emergencies: 111
- Kaitiaki support: 021 806 171
- Media: email@example.com