Waikato Hospitals ransomware attack (2021)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date 18 May 2021.[1]
Suspected actor An unidentified group claimed responsibility for the cyber-attack[2] in an alleged communication with Waikato district health board (DHB), and later on through an email sent to several media organizations, in which it claimed to have accessed patients and staff’s confidential information.[2]
Target Five hospitals (Waikato, Thames, Te Kuiti, Tokoroa and Taumarunui) of the Waikato DHB in New Zealand.[3]
Target systems The hospitals’ Microsoft Windows-based computer information systems, phone lines and payroll systems.[4]
Method According to Waikato DHB’s chief executive, Kevin Snee, the malicious software allegedly entered the network by a phishing operation through an email attachment,[5] blocking access to the systems[6] and encrypting the data.[7]

The board was allegedly already warned through an internal cyber-security report drafted before the attack[8] that DHB’s IT security was susceptible to a major cyber-attack since some of their computers were running outdated and unsupported operating systems (Windows 7)[9] and security measures and thus were exposed to virus and malware threats.[8]

Purpose The attackers aimed at gaining financial profit. The unidentified group stole and “hijacked” confidential information from patients, employees and financial data.[2] The hackers allegedly communicated with Waikato DHB with a ransom demand to unlock the data and the digital systems[10] and provided seven days to contact them in order to restore access to the systems.[2] The chief executive stated that “there would be no ransom payment and that the Board had backups for all its files that it would use to rebuild its system”.[7]
Result The IT services from the five Waikato DHB Hospitals were brought down,[11] representing more than 600 servers.[9] As a result, patients’ information became inaccessible,[12] forcing the personnel to manually take notes,[13] track appointments,[14] patients and critical clinical information.[15] Communications through the hospitals’ phone lines were hindered,[16] many elective surgeries for inpatients were deferred[8] − based on their dependence on laboratory and radiological services −,[17] and some outpatient clinics were reduced[18] or cancelled.[19] The emergency departments remained in use exclusively for critical cases.[20] Moreover, oncological patients had to be transferred to other providers across the country to assure continuity of their radiation therapy treatments[21] with the least disruption possible.[22] In addition, payment of staff wages was interrupted due to interference with the payroll forcing DHB to develop a contingency plan.[23]

Although at first there was no clear evidence if data had been accessed,[2] the unidentified group contacted several local media outlets on 25 May 2021, claiming that it exfiltrated confidential information, including personal information from patients and employees and financial data, and stating that one more chance was given to DHB to contact them.[2] The media refused to publish the received information and refer it to the police authorities.[24] The data was later leaked into the dark web,[8][9] affecting more than 4,200 people.[25]

Aftermath The attack was labeled as the “biggest cyber-attack in New Zealand history”.[1] DHB’s chief executive stated repeatedly that the Board was not going to pay a ransom[2][1] and that there was no further communication with the alleged hackers.[26]

It took several weeks to restore the information systems and make them operational again. The Radiation Therapy was partially resumed at Waikato DHB on 7 June 2021 when the supporting system was restored and back online, and the work continued for weeks to restore all the impacted systems, prioritizing key services.[27] On 21 December 2021, DHB stated that the hospitals’ services have returned to full functionality.[28]

DHB was assisted by fourteen governmental agencies in the recovery, including the Ministry of Health, the police, the Department of Internal Affairs, the Government Communications Security Bureau and the National Cyber Security Centre.[29] Alongside the recovery of the servers from the attack, the hospitals worked on enhancing the systems security and resilience before reinstated.[30]

DHB received several queries regarding potential privacy breaches,[8][29] and complaints have also been filed before the Privacy Commissioner.[8] A criminal investigation of the attack was initiated.[31] DHB obtained High Court orders to prevent media organizations from using the breached information and to permanently delete any copies of the data from their systems.[32]

One of the several external forensic investigations was completed early in 2022.[33] DHB has decided not to release the findings as they included confidential information on data systems and in order not to encourage similar attacks.[33]

Analysed in Scenario 14: Ransomware campaign

Scenario 20: Cyber operations against medical facilities

Collected by: Dominique Steinbrecher

  1. 1.0 1.1 1.2 Helen Livingstone, New Zealand hospital faces second week of disruption after major cyber attack, The Guardian (24 May 2021)
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 Elizabeth Binning and Nikki Preston, Waikato DHB cyber attack: Group claims responsibility, says it has confidential patient details, NZ Herald (25 May 2021)
  3. Waikato DHB, Waikato DHB Information System latest update (24 May 2021)
  4. Helen Livingstone, New Zealand hospital faces second week of disruption after major cyber attack, The Guardian (24 May 2021); Waikato DHB, Waikato DHB Information System down (18 May 2021)
  5. Waikato DHB, Waikato DHB Information System latest update (19 May 2021); Nikki Preston, Cyber attack on Waikato DHB's IT system won't be fixed until the weekend, NZ Herald (18 May 2021); Ben Leahy, New Zealand's hospitals battle daily cyber attacks: Ministry of Health, NZ Herald (19 May 2021); NZ Hit, The Waikato District Health Board cyber attack has been a wake-up call for all businesses, organisations, and people in Aotearoa (2021)
  6. Rizwan Asghar, A cyberattack lesson from Waikato DHB, News Room (21 June 2021)
  7. 7.0 7.1 Jamie Tarabay, New Zealand Hospitals Under Prolonged IT Outage From Ransom Hack, Bloomberg (25 May 2021)
  8. 8.0 8.1 8.2 8.3 8.4 8.5 Natalie Akoorie, Waikato DHB warned a cyberattack 'catastrophic for patient safety', RNZ (12 November 2021)
  9. 9.0 9.1 9.2 Natalie Akoorie, Waikato DHB cyber attack: Old software susceptible to malware was being used by some staff, Stuff (5 November 2021)
  10. Waikato DHB, Information System Outage and Cyber Security Latest (28 October 2021)
  11. Natalie Akoorie, Waikato DHB warned a cyberattack 'catastrophic for patient safety', RNZ (12 November 2021); Nikki Preston, Cyber attack on Waikato DHB's IT system won't be fixed until the weekend, NZ Herald (18 May 2021)
  12. NZ Hit, The Waikato District Health Board cyber attack has been a wake-up call for all businesses, organisations, and people in Aotearoa (2021)
  13. Nikki Preston, Cyber attack on Waikato DHB's IT system won't be fixed until the weekend, NZ Herald (18 May 2021)
  14. Waikato DHB, Waikato DHB Information System latest update (21 May 2021)
  15. Andrew McRae, Cyber attack: More to miss out on surgery as Waikato DHB rebuilds IT system, RNZ (24 May 2021); Helen Livingstone, New Zealand hospital faces second week of disruption after major cyber attack, The Guardian (24 May 2021)
  16. Ben Leahy, New Zealand's hospitals battle daily cyber attacks: Ministry of Health, NZ Herald (19 May 2021)
  17. Andrew McRae, Cyber attack: More to miss out on surgery as Waikato DHB rebuilds IT system, RNZ (24 May 2021)
  18. Waikato DHB, Waikato DHB Information System latest update (19 May 2021)
  19. Waikato DHB, Waikato DHB Information System down (18 May 2021)
  20. Waikato DHB, Waikato DHB Information System latest update (25 May 2021)
  21. Waikato DHB, Waikato DHB Information System latest update (26 May 2021); New Zealand Parliament, Urgent Debate — Ransomware Attack — Waikato District Health Board (29 June 2021)
  22. Waikato DHB, Plans in place for Waikato DHB cancer patients (26 May 2021)
  23. Waikato DHB, Waikato DHB Information System latest update (24 May 2021)
  24. Maggie Miller, Hackers release patient data stolen from New Zealand health systems, The Hill (26 May 2021)
  25. Scott Yeoman, Waikato DHB to tell 4200 people their personal information was disclosed on the dark web, following May cyber attack, Stuff (10 September 2021); Natalie Akoorie, Waikato DHB cyber attack: Out of date software used by some staff, RNZ (4 November 2021)
  26. Andrew McRae, Cyber attack: More to miss out on surgery as Waikato DHB rebuilds IT system, RNZ (24 May 2021)
  27. Waikato DHB, Radiation therapy resumes at Waikato DHB for cancer patients (7 June 2021)
  28. Waikato DHB, Information System Outage and Cyber Security Latest (21 December 2021)
  29. 29.0 29.1 Natalie Akoorie, Waikato DHB cyber attack: Out of date software used by some staff, RNZ (4 November 2021)
  30. Waikato DHB, Waikato DHB IT outage update (2 June 2021); Nikki Preston, Waikato DHB cyber attack: Hospital bosses fearful of copycat attacks and tipping hackers off, NZ Herald (3 March 2022)
  31. Waikato DHB, Waikato DHB Information System latest update (26 May 2021)
  32. Waikato DHB, Information System Outage and Cyber Security Latest (2021); RNZ, High Court stops RNZ from using further information stolen in Waikato DHB cyber attack (4 August 2021)
  33. 33.0 33.1 Nikki Preston, Waikato DHB cyber attack: Hospital bosses fearful of copycat attacks and tipping hackers off, NZ Herald (3 March 2022)
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Waikato_Hospitals_ransomware_attack_(2021)?oldid=3411"