Waikato DHB's tonight confirmed that data stolen in its ransomware attack has made it to the dark web.
The new leak was identified by a cyber security expert today, six weeks after the health board had its servers hacked, forcing its five hospitals offline.
Those responsible for the attack have previously leaked some of the hospital's data to media and the DHB confirmed what's now been found on the dark web contains "additional material".
"The DHB has obtained this material and is now working through it to understand the content and will thereafter notify affected patients and staff,” it said in a statement.
"While we had hoped this would not occur, the DHB was aware of the risk and had been preparing and working closely with cyber security experts to identify and manage any potential disclosures."
The information published on the dark web is understood to contain bank information, employee data, patients' driver licenses and passports and other medical records.
Cyber security expert Daniel Ayers told 1 NEWS "once you've lost control of it, it's out there.. it's gone".
"There seems to be quite a large quantity of information,” he said.
"I chose a management document, that was unlikely to contain personal information. I opened that and it came from Waikato DHB. Also some of the material we can see is included in this set of information, is also included in the information previously linked to some media organisations and I understand that was confirmed as being genuine."
Health and Government Communications Security Bureau Minister Andrew Little has confirmed he's been alerted to the leak.
"I've been advised documents have made its way to other platforms and that the identity of individuals have been revealed," he said.
The DHB said it has “been working closely with the Privacy Commissioner to ensure that we meet our obligations”.
It added that “appropriate action has been taken”.
“As the investigation continues and further information is provided we will continue to notify staff and patients as appropriate.”
Ayers said the “information's accessible if people go and look for it” but it was not included in search engines.
Little said if the person responsible for the leak is in New Zealand, there are penalties under the Privacy Act.
“The question of course is whether the person whose breached people's privacy is in our jurisdiction and we don't know that”, Little said.
The DHB says it continues to treat the incident very seriously and has allocated “significant resources” to managing the response.
It says it’s making good progress in restoring its servers, with its critical systems now reinstated.
“We also continue to work with cyber security specialists, who are implementing additional security measures and controls to safeguard and protect the WDHB network”.
“As advised already by the Government, once the DHB’s systems have been fully remediated there will be an independent inquiry to see what can be learned to prevent cyber security incidents like this occurring in the future.”
The DHB once again thanked the public for having patience through what’s been a challenging period.
SHARE ME