The ransomware-hit Waikato DHB must notify patients whose information has been shared on the dark web, Privacy Commissioner John Edwards says.
And Edwards says potential victims should take steps to prevent identity theft - including requesting a free freeze on their credit rating. (Find out how here.)
"Waikato DHB must notify all individuals whose details are included in the data that has been published online, and take steps to prevent further distribution of the information," Edwards told the Herald this afternoon.
"If somebody has suffered loss or considerable distress as a result of having their information included in the hack, and it can be shown that the DHB failed in its duty to take reasonable care, then the Waikato DHB could be liable," Edwards added.
"There is a risk that it could result in serious harm through identity theft and malicious actors fraudulently obtaining credit.
"The Office of the Privacy Commissioner encourages anybody who is concerned about their personal information to exercise their rights under the Credit Reporting Privacy Code, by getting a credit freeze or suppression of their information, which would stop their credentials being used to open credit contracts."
Under a recent update to the Privacy Act, Edwards can hit organisations with $10,000 penalties if they fail to follow notification requirements and other obligations under the legislation.
Earlier, IT security expert Daniel Ayers told Midday Report he had sighted the file structure of leaked patient information - without viewing personal information - and confirmed it is from the DHB.
He said the documents included correspondence, medical records, and financial data.
"I do note that some of the material in this leak does match some of the information that was previously released to media," Ayers said.
Earlier Ireland Cert head Brian Honan told the Herald that offshore attacks on healthcare facilities had seen ransomware hackers target individual patients, attempting to extort sums in the hundreds of dollars through threats to post personal details online
Vice Society appear responsible
Separately, Emsisoft threat analyst Brett Callow told the Herald that a ransomware gang called "Vice Society" was responsible for the Waikato DHB attack.
It is based on ransomware developed by another outfit, "HelloKitty", which was responsible for the February attack on the makers of the Cyberpunk 2077 Playstation game in February.
The encryption used by Hello Kitty, and now Vice Society, "has no weaknesses. Consequently, the only way to recover encrypted files is to restore them from backups or pay the demand," Callow says.
Where is Vice Society based?
"New Zealand. Russia. Anywhere," Callow says.
Like other experts inside and outside law enforcement, has no idea.
"While the [ransomware gangs] are typically believed to be based in Russia or former Soviet states, the people who use the ransomware they create to carry out the attacks could be based anywhere," the threat analyst says.
"For example, a Canadian was arrested in connection with attacks using 'Russian ransomware' earlier this year. According to press reports, he was formerly an IT analyst with the Government of Canada. No doubt, he was tempted by the enormous potential for profits - which turned out to be C$27 million, in his case. I wonder how many years of government salary that equals?"
The District Health Board has refused to pay a ransom, and one month on from the initial attack is still in the process of fully restoring its systems.
Waikato DHB responds
In a statement, the Waikato DHB said, "Last month's ransomware attack saw some information stolen from Waikato DHB.
"We can confirm that has made its way onto the dark web.
"While we had hoped this would not occur, the DHB was aware of the risk and had been preparing and working closely with cybersecurity experts to identify and manage any potential disclosures.
"In situations like this, when information is identified, it is assessed to see if it contains personal information.
"Early on in this incident, the DHB was made aware of an information file that had been accessed. At that point in time the DHB took the necessary steps to notify affected staff and patients.
"The DHB has been working closely with the Privacy Commissioner to ensure that we meet our obligations and appropriate action has been taken. As the investigation continues and further information is provided we will continue to notify staff and patients as appropriate.
"Additional material has now been identified, as reported in the media today. The DHB has obtained this material and is now working through it to understand the content and will thereafter notify affected patients and staff.
"We are working alongside specialist legal privacy experts and the Privacy Commissioner to ensure we meet all our obligations to directly notify both patients and staff whose data may have been affected.
"These notifications will also include support to individuals, including advice on how to protect themselves and their data moving forward. We will also continue to assess the situation so that we can quickly provide updated advice in the event we identify any additional risk to individuals.
"We continue to treat this incident very seriously and have allocated significant resources to manage the incident response."
The DHB had no immediate response to Edwards' remarks about liability for identity theft or other financial or personal harm suffered by patients as a result of the breach.