Waikato DHB cyber attack: Hospital bosses fearful of copycat attacks and tipping hackers off

The Waikato District Health Board fears revealing the findings of a forensic investigation into the biggest security attack in New Zealand's history could feed "malicious cyber actors" and encourage copycats.

The first of several investigations into the Waikato DHB's disastorous cyber attack last May has been completed and is being reviewed.

But despite acknowledging the huge public interest in the attack, the Waikato DHB is standing by its decision not to publicly release those findings.

The Waikato DHB commissioned the external forensic review of its digital systems following the massive cyber attack which impacted the Waikato DHB's five hospitals and heavily impacted services and treatments for several months.

The hackers also leaked personal and health information held by the DHB, on about 4000 people on the dark web.

A Waikato DHB spokesperson said it would not be making the report public because it was conscious that "malicious cyber actors monitor public commentary and materials". The report also contained confidential information on data systems.

The DHB refused to release a draft copy of the same report to the Herald at the end of last year citing a completely different reason - people's safety.

"Whilst Waikato DHB is committed to transparency regarding the cyber incident and acknowledges the public interest in disclosing information, our utmost commitment is to ensure the safety and security of patients, staff and the Waikato community. We consider the need to withhold this information outweighs any public interest in disclosure," an Official Information Act response said.

Acting Privacy Commissioner Liz MacPherson said her office received the report at the beginning of February and it was now reviewing the report findings, including the steps taken by the DHB during the current review and assurance phase.

Any regulatory and compliance actions taken – including whether the Office of the Privacy Commissioner would undertake its own investigation - would be heavily influenced by its reviews of all the investigations into the attack.

"We will seek additional evidence if necessary to help ensure there is a thorough understanding of the issues and remediations identified."

The Privacy Commissioner has already ruled out giving the DHB a fine after patient data was hacked, but it could face liability if harm was caused from it.

The Privacy Office would not comment about the other complaints its office has received about the cyber attacks.

Meanwhile, a separate review of the Waikato District Health Board cyber attack commissioned by the Ministry of Health is expected to be completed by the end of the month.

A Ministry of Health spokesperson said since the attack all 20 DHBs had already carried out work to increase the resilience of their systems from future hackers. It is also investing $75.7 million over three years to protect its data and digital systems from increasing cybersecurity risks.

- additional reporting Natalie Akoorie