About 14,500 coronial files were hacked late last month. Photo / 123rf
About 14,500 coronial files were hacked late last month. Photo / 123rf
A High Court judge has made a blanket order ordering anyone who may have received hacked health data or coronial inquest files to immediately delete them.
The order by Justice Grice states that anyone who has received the files or who may receive the files in the future is not allowed to access, look through or filter the records in any way.
The hacked files were obtained from IT provider Mercury IT, which performs contract work for Te Whatu Ora - Health NZ and the Coroner.
The ransomware attack on Mercury IT took place in late November and is said to have involved about 14,500 coronial files and 4000 post mortem reports.
Te Whatu Ora and the Ministry of Justice said there was no clear evidence the hacked files had already been accessed, but that this couldn’t be ruled out.
Hence they were taking urgent action to also provide a legal block to any as yet unknown people accessing the files in the future, the ministries said.
“There is existing precedent for obtaining orders against unknown people,” the ministries said.
“Te Whatu Ora and the Ministry of Justice – Te Tāhū o te Ture can confirm that they have jointly filed legal proceedings in the High Court today to prevent people accessing, sharing or publishing confidential and sensitive coronial and health information at the centre of a recent cyber security incident.”
The National Cyber Security Centre (NCSC), Police and CERT NZ are investigating the incident.
“The legal proceedings were a prudent and proactive extra step to protect people’s confidential and sensitive information as any publication of this information would cause serious distress to those affected,” the ministries said.
The legal orders were also sent to media organisations across the country, instructing them that they also cannot view or sort through the hacked files should any organisation be given the information.
“The legal action was not designed to constrain media reporting of the incident but simply to protect the people whose private and sensitive information had been compromised,” the ministries said.
Te Whatu Ora and the Ministry of Justice also acknowledged the anxiety the cyber incident had caused for those impacted.
The Privacy Commissioner’s office earlier this month said the attack occurred late last month.
“There has been a cyber security incident involving a ransomware attack on Mercury IT. Mercury IT provides a wide range of IT services to customers across New Zealand,” the office said.
The Government said it has precedent to issue a court order against "unknown" persons. Photo / Mark Mitchell
“This is an evolving situation. We were notified of the cyber security attack on November 30. Urgent work is underway to understand the number of organisations affected, the nature of the information involved and the extent to which any information has been copied out of the system.”
In a statement on December 6, Mercury IT director Corry Tierney said:
“On 30 November 2022, we became aware that we were the victim of a cyber-incident after a malicious and unauthorised actor gained access to our server environment.
“This was immediately escalated to senior management. The incident was raised with relevant Government authorities, and we have engaged external specialist support.
“Our response to understand how this occurred, and address the impacts, is at an early stage; however, all possible steps have been taken to secure our environment.
“We are committed to supporting our impacted clients with their own investigations wherever possible and we apologise, sincerely, for the impact this attack has caused.”
