Hackers sent patient data stolen during an attack on New Zealand’s Waikato District health system to local media outlets on Wednesday, with the outlets declining to publish the sensitive information.
The Waikato District Health Board (DHB) confirmed the attack in a statement Wednesday, saying that it is “aware that the media have received what appears to be personal and patient information from Waikato DHB information systems.”
“Media outlets have confirmed they will not make this information public and have referred it to the Police,” the statement read. “This is an ongoing criminal investigation and Waikato DHB are working closely with the National Cyber Security Centre, Government Communications Security Bureau (GCSB), The Privacy Commission and NZ Police to respond, remediate and recover from this incident.”
Kevin Snee, the chief executive of the Waikato DHB, said in a statement Wednesday that authorities are working to address the hack, not commenting on who may be behind it.
“This is a criminal investigation and we have every confidence that it is being dealt with by NZ Police and cyber security experts,” Snee said. “Care and safety of patients remains our highest priority, and we must concentrate on health services and supporting our staff to do their job.”
The release of the information comes a week after the health system’s information services were entirely shut down by hackers, impacting clinical services at multiple hospitals in the New Zealand district, including forcing the cancellation of some elective surgeries.
As of this past weekend, dental, dermatology and cardiology clinical appointments were canceled, and on Monday, the Waikato DHB was forced to contact banks directly to pay staff due to IT systems being unable to process employee payrolls.
The Waikato DHB, one of 20 in the nation, serves around 425,000 New Zealanders.
“Our staff are pulling together as a team and working collaboratively with our partners to restore services, but disruptions are to be expected as workarounds are put in place,” Snee said. “This is an extremely serious situation and I am proud of staff who are doing their utmost in maintaining business as usual in an environment that is clearly not usual.”
“I also appreciate the support of our partners, which has been vital to ensure we can provide the people of the Waikato with confidence to access the health services they need,” he added.
Hospitals and health care systems have been major targets of cyberattacks over the past year, as hackers increasingly saw them as vulnerable during the COVID-19 pandemic.
Several hospitals in the United States were targeted last year, and Universal Health Services, a chain with facilities in the U.S., United Kingdom and Puerto Rico, saw its IT systems taken offline by an attack in September.
More recently, Ireland’s Health Service Executive (HSE), the nation’s key health care provider, was hit by a ransomware attack, which as of Wednesday was still causing what the Ireland HSE described in a statement as “substantial disruption” to operations.
While the HSE and the Irish government have insisted they will not pay the hackers responsible to unlock their IT systems, BBC News reported last week that the hackers had given the government a key to decrypt systems for free.
The attack on the HSE was allegedly carried out by the Conti ransomware group. The FBI pushed out an alert last week warning that the same group was targeting U.S. health care and first responder networks, and urging victims to contact the FBI.