Personal information of hospital patients and staff in New Zealand have been published online, around six weeks after a ransomware attack on the Waikato District Health Board (DHB).

Bank details, drivers’ licences, passports, home addresses medical reports and other private records of an unknown number of people are among the data uploaded on to the dark web.

The health authority, which serves a population of 425,000 in the northern portion of North Island, says it has obtained the material concerned and is now working through it to understand the content. 

It will then notify affected patients and staff, including giving advice on how to protect themselves and their data in the future.

“We will also continue to assess the situation so that we can quickly provide updated advice in the event we identify any additional risk to individuals,” Radio New Zealand quoted the DHB as saying.

The board also said it had been aware of the risk of publication on the dark web and is cooperating with cyber security experts to identify and manage any potential disclosures.

“The DHB has been working closely with the privacy commissioner to ensure that we meet our obligations and appropriate action has been taken,” it added.

Privacy commissioner John Edwards described the data breach as serious and a matter of anxiety for people in the Waikato area, but his office would not investigate the incident.

“I don’t think it’s the right time for us to be engaged in any kind of forensic examination while the DHB is seeking to restore its systems and address the harm that’s been done to those individuals,” he added.

He warned risks include identify theft and publication of sensitive information which people would expect to be kept private.

“The DHB just needs to be vigilant, keep an eye on the distribution of that information, taking all efforts to have it removed from that site if that’s possible, and offering support to the affected individual.”

The 18 May ransomware attack knocked Waikato’s IT systems out of action and disrupted normal activities – including postponement of some surgery – at its five hospitals, two continuing care facilities, mental health in-patient facility, community-based services, public health services and clinical services.

In the latest, 16 June, update on its website the board said diagnostic, radiology and other services had been restored, as well as the ability to record and track patients as they move through the hospitals, and for clinicians to access their patients’ full medical information.

But chief executive Dr Kevin Snee cautioned a great deal of work remained to be done across the DHB and that will take time.

Missed PrivSec Global’s livestream experience? No problem, simply click here to access the sessions on demand.