Waikato District Health Board ransomware attack

In mid-May 2021 hospital computer systems and phone lines run by the Waikato District Health Board (DHB) in New Zealand were affected by a ransomware attack. On 25 May, an unidentified group claimed responsibility for the hack and issued an ultimatum to the Waikato DHB, having obtained sensitive data about patients, staff and finances. The Waikato DHB and New Zealand Government ruled out paying the ransom.

Background
According to the Stuff journalist Dileepa Fonseka, the Ministry of Health had entered into negotiations with information technology industrial vendors in 2019 to purchase a more advanced cybersecurity system for the country's district health boards. However, these negotiations were abandoned since the Ministry lacked the budget to purchase the proposed system.

Incident
The cyber attack on the Waikato District Health Board that began on 19 May 2021 brought down all IT systems and phone lines. Kevin Snee, chief of Waikato DHB, said that he did not know who was responsible for the attack or if it was related to the Health Service Executive cyberattack.

On 25 May 2021, The New Zealand Herald reported that an unidentified group had claimed responsibility for the hack. This group had reportedly accessed confidential patient notes, staff details, and financial information. The group also claimed that they had given the Waikato DHB seven days to contact them following the cyber attack. The group reportedly deleted most of the backup files but offered to help restore the systems if the Waikato DHB responded to their communications. In response, the Waikato DHB chief executive Snee refused to confirm or deny whether the DHB had been in contact with the hackers. Snee also stated that the DHB would not be paying any ransom.

On 27 May, senior Waikato DHB officials confirmed that hackers had seized patient and staff details and that files sent to several media including The New Zealand Herald contained genuine information. These files have been handed to the Police. DHB chief executive Snee confirmed that the body was working with privacy experts and providing affected patients with support. Snee stated that the Waikato DHB's COVID-19 vaccination programme had not been affected by the cyberattack and was ten percent ahead of its rollout target. Emsisoft cybersecurity expert Fabian Wosar speculated that the hacker's ransom demand for the Waikato DHB's hacked data was likely in the millions or even tens of millions of dollars; potentially making it the biggest Zepellin data breached if confirmed.

Impact
Some surgeries were postponed as a result of the attack, but most went ahead as planned.

Two Air New Zealand flights were cancelled after the airline was unable to get a negative COVID-19 certificate for a crew member who was to work on both flights.

On 26 May, an unidentified doctor claimed that seriously ill cancer patients could be flown to Australia for treatment due to the disruption and potential data breach caused by the Waikato DHB cyber attack. The Waikato DHB has also arranged for the most urgent patients to be assigned to private providers in Tauranga and Wellington. In addition, the Auckland District Health Board has agreed to provide treatment to the Waikato DHB's emergency cancer patients.

By 2 June, the Waikato District Health Board had confirmed that it had made progress in restoring half of its servers over the past four days. Its system consisted of several hundred servers, many major network sites and thousands of work stations.

By 7 June, radiation therapy had resumed at Waikato DHB hospitals with 21 patients receiving treatment the previous day. In addition, restoration work was being done to salvage data from the Waikato DHB's inpatient management system and diagnostic services from its radiology and lab departments.

By 15 June, Kevin Snee confirmed that the Waikato DHB had managed to restore clinical services, doctors' access to patients' full medical information, laboratory diagnostic and radiology services. However, staff were still relying on manual processes in several areas, which meant that all activities require additional time. The DHB also faced a backlog of patients who have had their outpatient appointments and other services cancelled because of the cyber attack. Due to the disruption, some patients had to seek treatment at other district health boards.

On 29 June, Radio New Zealand and Stuff reported that a list of documents containing sensitive information including correspondence, medical records, and financial data had been released on the dark web. In response, the Waikato DHB confirmed that it had contacted affected patients and was working with cybersecurity experts to identify and manage any potential disclosures.

Reactions
Kevin Snee described the attack as the "biggest in New Zealand history".

Health Minister Andrew Little said that Waikato DHB was getting all possible assistance including from the National Cyber Security Centre within Government Communications Security Bureau.

On 25 May, Health Minister Little confirmed that the New Zealand Government would not pay the ransom to the hackers in order to discourage further offending. Little confirmed that the hacking group had contacted several media companies including Stuff and NZME.

On 26 May, the Privacy Commissioner warned all district health boards in New Zealand to fix their IT vulnerabilities as a result of the Waikato DHB cyberattack.

On 29 June, Health Minister Little promised a full independent inquiry into the Waikato DHB cyber attack. The following day, the Privacy Commissioner confirmed that the Waikato DHB would not be fined for patient data being hacked but that the health body may faced liability if harm was caused by it.