2022 saw a barrage of ransomware attacks against healthcare providers, and many of their patients remain in frustrated suspense as we enter 2023.
Anne* - a previous melanoma sufferer - has had her moles mapped for the past five years.
An annual head-to-toe Naevus mole mapping by Hamilton Skin Cancer Centre identified any suspicious spots that appeared on her skin since the last round of imaging.
This week, she got a rude shock when she discovered the centre had lost access to previous scans for its Naevus Mole Mapping system.
A “cyber incident” last October saw 10,000 images of skin lesions and moles - including any backups - compromised.
“Patients who previously had melanoma and were mapping moles as a precaution will now not have images from past years to compare with if they present with a suspicious mole. I am a patient now in this position,” Anne told the Herald.
A spokeswoman for Hamilton Skin Cancer Centre told the Herald the centre was working with police to retrieve the files. The centre is “hopeful” it will regain access to the 10,000 patient files.
She would not name the third-party IT provider that hosted the centre’s systems, not comment on whether ransomware was involved “due to this being an ongoing police investigation”.
There were no printouts - which she said were not practical given the “granular resolution” of the imaging used for the mole mapping. New systems have been put in place since the October attack, including new backup procedures.
The centre contacted all affected patients in October by email or letter, including an email sent to Anne (which the patient never received - it’s presumed to have been caught in her spam filter).
A story in the media in October relayed patient fears body images could appear on the dark web - where ransomware attackers post “taster” files in a bid to pressure a victim into paying up.
That story emerged after the centre posted an online update that included the line: “Unfortunately our image storage system was affected, which means the third party may have downloaded image files of some of our patients; for example, close-up images of skin lesions which may include patients’ faces.”
But the update (the first and only update published, as of today) made no mention that 10,000 files were no longer accessible, or the practical consequence that year-on-year mole mapping comparisons were no longer possible, at least for the time being.
The Hamilton Skin Cancer Centre spokeswoman confirmed the 10,000 number to the Herald.
She said cyber-security and forensic IT investigators the centre contracted found no evidence of any of the images on the dark web, or any evidence personal information such as contact information, bank card or credit card details, email addresses, National Health Index (NHI) numbers, or telephone numbers have been affected, downloaded, or published.
A cyber-security consultant contacted by the Herald did not find any sign of any centre files on the dark web either.
Anne told the Herald she was surprised the centre had taken an “eggs in one basket” approach to backup, especially after the 2021 ransomware attack on Waikato DHB highlighted the need to step up cyber defences and procedures.
Upsurge in attacks
Anne is far from alone in being the victim of data breach, or in her frustration over lack of progress.
The final three months saw a clutch of major cyber attacks - most acknowledged as ransomware.
Yesterday, the Office of the Privacy Commissioner reported a reported a 41 per cent increase in privacy breaches which met the serious harm threshold during the second half of 2022 (207 from 147 in the first half of 2021).
The cyber incident affecting Hamilton Skin Care Centre happened the same week a ransomware attack hit Pinnacle Midlands Health Network - which operates dozens of North Island medical practices.
The Pinnacle attack did see some files posted to the dark web, but the Hamilton Skin Care Centre has no direct connection to Pinnacle, and the two cyber incidents were separate.
In November, Wellington-based IT provider Mercury IT suffered a breach leading to ransomware swoops on data on its clients including Te Whatu Ora Health NZ, where 8500 Middlemore Hospital bereavement care services records and 5500 cardiac inherited disease registry records were compromised.
Other victims were the Ministry of Justice, where 14,500 coronial files and 4000 post mortem reports were accessed, the NZ Nurses Association (which represents 55,000 healthcare workers), BusinessNZ, the Wellington Chamber of Commerce and the affiliated Business Central, and Accuro, a Wellington-based private health insurer with about 30,000 customers.
No progress, across the board
This week, a spokesman for Mercury said there was no substantive update on efforts to retrieve files. The spokesman said the Hamilton Skin Cancer Centre was not a client.
On December 20, Emsisoft threat analyst Brett Callow said LockBit - the cybergang apparently behind the attack on Mercury IT - had placed 10-day countdown clocks on Mercury IT and various of its clients.
BitLock threatened to release files if Mercury did not pay US$999,999 ($1.5m) for files before the deadline, with demands for lesser amounts from various affected clients. The files were available to anyone willing to pay the US$999,999.
At the time, Callow noted BitLock had previously restarted the countdown if there were no takers. That was the case this week.
The Government has repeatedly rejected “circuit breaker” measures suggested by Callow, Herald columnist Juha Saarinen and others, including making it illegal to pay a cyber ransom.
Police say paying ransoms incentivises further offending, funds offending in another area, and provides no guarantee files will be returned, or that copies will be destroyed rather than sold or used for future blackmail.
The Government has also ruled out major fines for organisations with substandard cybersecurity. And cybersecurity funding increases in recent budgets have been limited compared to the billions in new spending across the Tasman.
Compliance investigation, court order
Under our privacy laws, organisations are required to take all reasonable steps to secure personal data.
And under an update to the Privacy Act, which came into force in December 2020, a “serious breach” must be reported to the Privacy Commissioner within 72 hours or risk a fine of up to $10,000. Previous Privacy Commissioner John Edwards lobbied for fines of up to $1 million for breaches, which would have still been modest next to penalties in Australia and the EU.
On December 21 last year, the Privacy Commissioner opened a compliance investigation into the Mercury IT breach.
This week, the commissioner’s office had no comment beyond that the investigation is “ongoing”.
It is a good time to remind the public that the Mercury IT breached data is protected by a court order, a spokesman for the Commissioner said.
“If an individual comes across any information from this breach, it should be reported it to the New Zealand Police. No one should contribute to its dissemination and increase the anxiety and distress to individuals impacted.
“For those involved, or potentially involved in this breach, be hyper-vigilant. Watch out for suspicious texts, emails or unusual things happening with your accounts or records. Be particularly cautious of contact from an unknown source.”
Police, the GCSB’s National Cyber Security Centre and other agencies investigating the rising wave of cyber-attacks are focused on the mechanics of how files were stolen, and who was responsible for the theft. With suspects concentrated in Russia and other countries where international co-operation is limited, that can be a thankless task.
But new Privacy Commissioner Michael Webster says: “By far the most common type of harm associated with serious privacy breaches is emotional harm – more than a third of all serious breaches reported to our office involve this type of harm. Other common types of harm include reputational harm, identity theft and financial harm.”
Webster says a suspected serious breach should be reported to his office as soon as possible.
“Report it. Report the breach as early as possible. Notifiable privacy breaches should be reported within 72 hours of the breach being identified. We will work with you as you go through a triage response and help guide you to bring your agency through a crisis.”
Any attack involving ransomware should be treated as a serious breach by default, he says.
What’s the “serious breach” threshold overall?
“If your kindergarten accidentally sends a message to all that reveals your child is gluten-intolerant, I don’t want to hear about it,” former Privacy Commissioner John Edwards said.
The Office of the Privacy Commissioner has “privacy breach self-assessment” test on its website, with a series of multi-choice questions to help you gauge if mandatory disclosure is required.
Webster says if you’re in any doubt, contact his office.
Where to get help
- Crown agency Cert NZ offers “triage” advice for individuals or small businesses hit by a cyber attack, and can direct you to the right contacts at the police or other agencies for further investigation or assistance.
- The Ministry of Justice-backed ID Care can help you freeze your credit record and provide other assistance if you’ve been subject to identity theft following a cyber attack, or suspect it is a threat. Its website features response guides specific to a number of the current cyber attacks
* Name changed