After Ireland, massive ransomware attack now shuts down New Zealand hospitals

Systems are still down a week after a ransomware attack disrupted the IT network of five hospitals in the New Zealand district of Waikato, and concerns remain that private patient information may have been exposed.

Patients are being asked to arrive at appointments with paper documents and banks are urged to honour automatic payments to hospital staff who were either underpaid or not paid at all, a week after the Waikato District Health Board said it experienced a full outage of its information services.

By Tuesday, manual processes were implemented to support the backlog of patients while the public was reminded to “seek alternative avenues of treatment unless they are critically unwell.”

The head of the health board, Kevin Snee, told reporters that “there's a real threat some people's personal information may have been breached as a result of the cyberattack.”

Andrew Little, the health minister and the minister responsible for New Zealand's intelligence agencies, said he could not give anxious patients any assurance that their personal data hadn't been compromised.

“All the advice I've had so far is obviously, they've gotten into the system and they've encrypted it, there's a chance they've taken data from the system and exfiltrated it,” Little told Radio New Zealand on Monday. He said the DHB was rebuilding its system and operations would be back online “hopefully by the end of this week.”

Also read: Ireland confirms its health system faced a second cyber attack

There's been no official word on whether the attackers had demanded a ransom. Last week Snee told reporters that there would be no ransom payment and that the Board had backups for all its files that it would use to rebuild its system.

The incident in Waikato, a local government region in the upper North Island of New Zealand, bears striking similarities to the May 14 cyberattack on Ireland's hospitals. Officials there were forced to shut down many of their computers after hackers gained access to the health service's systems. There, too, hospitals had to cancel services and staff have had to rely on pen and paper rather than PCs.

The hackers who targeted the Irish health service call themselves the ContiLocker Team and use a strain of ransomware known as Conti to break into victims' machines and extort payments. When Waikato hospitals first had to shut down, the head of New Zealand's doctors' association, Deborah Powell, said the attack appeared to be of the same type. Radio New Zealand reported Powell saying that “it was her understanding the cyberattack was a type of ransomware called ‘Conti.'”

Asked for clarification, the Resident Doctors Association said she was not immediately available and was unlikely to speak further on the matter.

The FBI said in a May 20 statement that more than 400 mostly healthcare and first-responder organizations around the world have been victimized by Conti and that “recent ransom demands have been as high as $25 million.”

The New Zealand government's cyber agency refused to say if it was in contact with Irish authorities regarding the incident. “The NCSC knows from its involvement in other significant cyberattacks that malicious actors can monitor what is being said in the media, and this can influence their behaviour,” the National Cyber Security Centre said in a statement.

Read more: Google is testing a new feature to help people find hospital beds

Several New Zealand media organizations reported receiving communication from someone purporting to be responsible for the attack. Radio New Zealand said Tuesday that the emails appeared to contain caches of documents, including recent data on staff numbers and names, financial records, contracts and complaints. There were also files containing screenshots identifying hundreds of patients and staff, with some documents spelling out diagnoses and medical information, RNZ reported.

It's the second significant cyberattack New Zealand has encountered in under a year. Last August, its stock exchange had to halt trading over a period of four days because of a distributed denial-of-service attack that forced its public website offline.

Minister Little said there would need to be a review to understand how an “entire IT system, phones, computers, everything, seems to have been brought down.”

The Waikato breach was “a high degree of exposure. You would expect in this day and age that there would be adequate protection around these sorts of things,” he said to Radio New Zealand.