Waikato District Health Board will not be fined for patient data being hacked, but it may face liability if harm is caused from it, the Privacy Commissioner says.
Some patient information was published yesterday on the dark web after the ransomware attack that crippled five hospitals' IT systems in May.
The information reportedly included bank details, drivers' licences and passports.
Privacy Commissioner John Edwards told Morning Report the information was not widely available but it was still accessible to malicious users and that was troubling.
"We don't really know the extent yet, we've seen a couple of screenshots of different directories which show different categories of information but we don't know how much of the information that has been taken from the DHB has ended up accessible there."
If it becomes more predominant, they could ask search engines to block links to it.
"Whether they accede or not, we don't know. We don't have a right to de-link in this country as they do in other countries," Edwards said.
The risk was that it could result in harm through identity theft and malicious users fraudulently obtaining credit.
"I would encourage anybody who is concerned about that to exercise their rights under the credit reporting privacy code, to get a credit freeze or suppression of their information," Edwards said.
"That would stop their credentials being used to open credit contracts."
He said he did not believe the attackers would get a ransom, as officials previously stated they would not give in to those demands.
The onus was on the DHB to try and secure the data and assist victims by notifying them if they were involved and where to get help, he said.
"They have an 0800 number for anybody who is concerned about their data being included in the hack [0800 561 234]."
In addition, IDCARE was also available to support victims of ID theft (0800 121 068).
Although there were no penalties for the DHB, it could still face liability if an intensive investigation could prove that, Edwards said.
"If somebody has suffered some loss or considerable distress as a result of having their information included in the hack and it can be shown that the DHB failed in its duty to take reasonable care, then there could be a liability.
"But there would have to be a reasonably extensive and forensic process of investigation to determine whether that liability arose."
The DHB said yesterday it had taken steps to notify affected staff and patients of the previous leak and was working closely with the commissioner to meet its obligations.
"The DHB has obtained this material and is now working through it to understand the content and will thereafter notify affected patients and staff."
It is not clear how many patient and staff files are involved in total.
Patients' Rights Advocacy Waikato chairwoman Carolyn McKenzie said it was a very concerning development, given the information could be used any time in the future.
"I think that'd make them feel extremely insecure and very angry and really who can you blame? How much money can they afford to spend on something like that, and you still won't be secure?"
FinTech New Zealand general manager James Brown said cybersecurity breaches in this country rose 65 per cent last year - with direct financial losses totalling almost $17 million.
Brown told Morning Report those figures were just "the tip of the iceberg" because a lot of attacks were going unreported.
"It's really challenging because if you look around the rest of the world, our investment into cyber, is really awful in comparison to some other jurisdictions.
"I think we've got a lot of work to do and ultimately I think we're feeling a little bit exposed and we've definitely seen that in recent times."
The minister for health and the intelligence agencies, Andrew Little, said cyberattacks would keep happening, and no protection could stop every one of them.
He said the government was investing into the sector, but there was no foolproof solution.
"Even with the best protections in the world now, the reality of the world now is that cybersecurity [has] no cast-iron guarantee. Cyberattacks are a reality of the modern day world."
Brown said businesses also needed to have good housekeeping practices, like backing up data, software updates, anti-virus software, and changing passwords, to protect themselves from cyberattacks.
"We've done road shows up and down the country - the amount of people that actually use their pet names, their street names, or other things of that nature to actually have as their access to what can be a lot of customer or consumer data, it becomes quite frightening."
There was also a surge in the adoption of more digital technology, especially during the pandemic, he said.
"The reality is most people wouldn't have been ready for that and certainly a lot of organisations, not just in New Zealand, would also not have been ready as well."
With the switch to work from home, some workers may have lost the adequate protections that were in the office.
"We are seeing some business terrorist attacks but we also have to bear in mind there are also personal terrorist attacks," Brown said.
He said people often downloaded or logged into apps without much consideration to the terms and conditions, which clarify where personal information is going.