Sensitive patient files and high-level data stolen in a cyber attack on a major primary health provider have been posted to the dark web by a ransomware group with Russian links, the Herald can reveal.
In a statement last night, Pinnacle Midlands Health Network — which operates dozens of North Island GP practices — confirmed the upload of stolen material to the net, following a "cyber incident" last week.
While the number of affected patients has not been made public, initial reports suggested hackers may have had access to as many as 450,000 people's information.
Justin Butcher, CEO of Pinnacle Incorporated, told the Herald information illegally obtained was uploaded to the internet by "malicious actors".
The information and data related to past and present patients and customers of the Pinnacle group in the Waikato, Lakes, Taranaki and Tairawhiti districts. It also includes Primary Health Care Ltd (PHCL) practices from across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.
The information in the breach includes high-level data related to the use of hospital services, claiming information related to services that Pinnacle provides, and information sent to practices around immunisation and screening status of individual patients.
"Over the past 24 hours, we were notified by our security experts that the data taken from our IT platform had been released by malicious actors," Butcher confirmed.
"We acknowledge that this will be concerning to our patients and their whānau, and we are taking this seriously, our immediate focus is on supporting people who may have been impacted, and working with the authorities to ensure we are doing everything we need to be."
While Pinnacle does not hold GP notes and consultation records, Butcher said the company "now have a much clearer understanding of the breadth of stolen data".
"This is extremely unfortunate, and we are gutted as this impacts our whānau also. Cyber incidents like this are a constant threat, and while they are the doing of malicious actors, we feel for everyone who may have been affected."
Pinnacle has been in contact with police and the Office of the Privacy Commissioner. Police would not comment yesterday.
Sources have told the Herald that a ransomware gang called ALPHV, also known as Black Cat, published a patient assessment, marked "confidential", from a clinic in the Pinnacle group.
It also published a financial memo about budget goals, a spreadsheet and a scan of a passport, which appeared to be taken from Pinnacle's system, among other files.
The Herald did not access Pinnacle files posted online by ALPHV, but was shown screen grabs by a source in the cybersecurity industry.
"Like other ransomware operations, ALPHV uses the threat of releasing data as additional leverage to extort payment," Brett Callow, a threat analyst with NZ-based cybersecurity firm Emisoft, told the Herald.
"Healthcare sectors the world over have been increasingly targeted by for-profit cybercriminals in recent years."
Groups like ALPHV often offer a "taster" of data on the dark web, either to pressure a victim into paying a cyber-ransom or, in some cases, to solicit bids for data.
Offshore, there have been cases of hackers trying to blackmail individual patients, as well as to extort a payment from a healthcare provider.
ALPHV hit headlines in August for its attacks on energy companies and has pioneered searchable, online databases of stolen data as a method of turning the screws on victims.
Unit 42, a division of Nasdaq-listed cybersecurity giant Palo Alto Networks, whose board includes former Prime Minister Sir John Key, has linked ALPHV members to Russia, saying the group communicates to its members or affiliates in the Russian language and is known to operate on Russian cybercrime forums.
In May, GCSB director-general Andrew Hampton warned New Zealand could be targeted by pro-Putin hackers.
If the first leak gets no response, it is typically followed by more sensitive data being spilled online.
The information is offered to cybercriminals in the know. The Pinnacle files were posted to the dark web, which is not searchable by Google, or even accessible via a regular web browser. Special software is required.
On October 4, Pinnacle, which runs a network of 87 GP practices, said a "cyber incident" affected some IT services at offices and practices in Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.
The breach took place on September 28.
At an October 4 press conference, Pinnacle would not say whether it was negotiating with the hackers.
Butcher then said he believed the stolen information could include commercial and personal details.
Later the same day, he told RNZ's Checkpoint the hacked system did not contain clinical notes.
The patient file posted by ALPHV is labelled "Confidential neuropsychological report".
It is from a provider outside the Pinnacle group and details assessments related to a person's ACC claim.
It was for a patient in the Waikato and part of a collection of files ALPHV said were from Pinnacle.
Cybersecurity expert Alastair Millar, from Aura Information Security, told RNZ the potential for identity theft was a worry for the people affected but Pinnacle had been open about it and was pointing people towards support service ID Care and tools available to try protect their identity.
But Millar said it was possible the hackers could be seeking a large financial sum in exchange or to sell the data on the dark web, as was done in a hack on Waikato District Health Board last year.
With people's NHI number and contact information, hackers could obtain credit cards, take out loans or buy gift cards, he said.
Police advise against paying cyber ransoms.
They say there is no guarantee stolen data will be destroyed or returned (or frozen systems unlocked) and that payments both fund and incentivise such crimes.
However, in New Zealand it is not illegal to pay a cyber-ransom.
The Government says taking such a step would criminalise victims.
Pinnacle is also working with the Ministry of Justice-backed ID Care, which offers assistance to those worried they have been the victim of identity theft, and can walk people through the process of freezing credit records, Butcher said.
ID Care has set up a page dedicated to the Pinnacle cyber breach.
People can also call ID Care's Case Management Centre on 0800 121 068.
The fire took place around midnight and took firefighters three hours to control.