Reporting of personal information from Waikato DHB breach.
Privacy Commissioner John Edwards is very concerned about RNZ’s reporting of personal information which was taken from documents leaked online following the Waikato District Health Boards’ cyberattack.
“This reporting would appear to raise quite significant ethical questions, and I would be concerned to think of journalists trawling through illegally obtained deeply sensitive personal information to identify and generate stories. The fact that one media source would appear to have done so may prompt others to do so – effectively creating a market for, and monetising, this very personal material,” said Edwards.
“It is essential that people – including media – respect the personal information of others. Any information which has come from the Waikato DHB ransomware breach is likely to be sensitive personal information, which is likely to cause a great deal of anxiety to the people affected.
Journalists should not be accessing this information and should in no case contribute to its more widespread dissemination. Doing so only adds to the distress of those whose personal information has been disclosed.”
In late May 2021, Edwards is warning DHBs to address any security failings identified in a Ministry of Health stocktake of health IT systems in 2020.
Edwards said his office has been notified of the Waikato DHB ransomware breach and is monitoring the situation closely while providing advisory support.
“We are aware that some patient, staff, contractor and other personal information has been distributed to news media organisations by unknown individuals. Our expectation is that the DHB would notify and offer support to the individuals identified in that information without delay. We would also expect that the DHB would be actively monitoring for potential host sites on the Dark Web or elsewhere.”
Edwards said his office is not investigating to determine any liability at this stage but if a DHB is found not to have taken adequate security measures to protect its information systems; it could be liable to any staff member, contractor or patient who suffers harm as a result.
“We understand from media reports that other DHBs may be aware of security vulnerabilities in their systems as a result of the audit undertaken last year.
“Our expectation would be that they should have taken, and if they have not should now take, steps to act on any deficiencies in security.
“If we find that any DHB does not have adequate security, we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions,” Edwards said.
Edwards is warning DHBs to address any security failings identified in a Ministry of Health stocktake of health IT systems in 2020.
At the time, Edwards said his office has been notified of the Waikato DHB ransomware breach and is monitoring the situation closely while providing advisory support.
“We are aware that some patient, staff, contractor and other personal information has been distributed to news media organisations by unknown individuals,” he noted. “Our expectation is that the DHB would notify and offer support to the individuals identified in that information without delay. We would also expect that the DHB would be actively monitoring for potential host sites on the Dark Web or elsewhere.”
Edwards said his office is not investigating to determine any liability at this stage but if a DHB is found not to have taken adequate security measures to protect its information systems; it could be liable to any staff member, contractor or patient who suffers harm as a result.
“We understand from media reports that other DHBs may be aware of security vulnerabilities in their systems as a result of the audit undertaken last year.
“Our expectation would be that they should have taken, and if they have not should now take, steps to act on any deficiencies in security.
“If we find that any DHB does not have adequate security, we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions,” Mr Edwards said.