The Waikato DHB breach: What do NZ regulations consider reasonable security?
DataBreaches.net reports on breaches from many countries, including New Zealand. On my companion site, PogoWasRight.org, I’ve posted approximately 200 news stories about privacy incidents there, their privacy laws, and decisions by their privacy commissioner. And on this site, I’ve posted almost 200 more articles about breaches impacting New Zealand. But when the Waikato District Health Board ransomware incident made the news in May, and it was reported that the incident was interfering with patient care, I realized that I wasn’t really clear on what data security obligations New Zealand statutes or regulations impose on entities. And when I read a subsequent news report that said that Waikato DHB would not face any fines but might have liability, I realized it was time to learn more. So I reached out to New Zealand’s Privacy Commissioner’s Office. I also reached out to the threat actors to see if they would tell me anything about Waikato’s security and how easy or difficult it was to attack them.
In a preface to their more specific statements, the Commissioner acknowledged the challenges I had raised in my queries about the impossibility of “putting the genie back in the bottle” or restoring entities to their pre-breach state when their sensitive information had been dumped and would presumably be circulating publicly for years to come:
The remedies in the Privacy Act are intended to put the victim back in the position they would have been in but for the breach, and if necessary we will undertake our own inquiries to determine what happened and how. However we are also very interested in ensuring that other agencies in the health sector learn the lessons of this breach and take steps to ensure their security is industry best practice.
The following are some of the questions I posed, and The Commissioner’s answers or explanations. The Commissioner’s answers are indicated with “C” while DataBreaches.net’s queries are indicated with “D:”
D: In a statement the other day, you stated that “If somebody has suffered some loss or considerable distress as a result of having their information included in the hack and it can be shown that the DHB failed in its duty to take reasonable care, then there could be a liability.” What generally constitutes “reasonable care” for a facility collecting, processing, and maintaining sensitive personal information and medical/patient protected health information? Are there any specific guidelines in NZ law or regulations?
C: We don’t have specific guidelines, but if there were industry standard security measures that the DHB had not followed, and did not have a good reason for not following, that that would be one possible example. Also, if they were aware of a vulnerability, and had access to a patch, but did not apply it in a timely manner might be another. There are endless possibilities, failing to provide adequate training to staff, possibly even failing to adequately vet key security personnel which might influence our decision on whether they had taken reasonable security safeguards, but as mentioned in the piece you quote, we would only be able to do that with a retrospective investigation.
D: In looking at the data dumped by the threat actors, I noticed a lot of old personnel files (circa 2009) that contained personal and sensitive information. They were all unencrypted. Is there anything in NZ law or regulations that would require an entity to encrypt old employee/personnel files that may not be needed currently or to take them offline?
C: No – there is nothing specific that would require encryption. I might ask them, as part of an investigation why those files had been retained in that form, or not encrypted, and would need to be open to the possibility that there might be a reasonable explanation for that.
D: OK, that’s employee files. But is there anything in NZ law or regulations that would require an entity to encrypt patient files? What exactly does NZ require in this regard, ifanything?
C: Again, there is no specific legislative requirement to encrypt patient files. We would probably assess the measures taken by the DHB against the Health Information Security Framework
https://www.health.govt.nz/our-work/digital-health/digital-health-sector-architecture-standards-and-governance/health-information-standards-0/approved-standards/security-standards as a starting point, but there may be other factors we would take into account, if for example we found that those standards had fallen out of date with reference to the current threat environment or if there were gaps or blind spots.
Consider the above in evaluating the answers Vice Society (the threat actors) gave me (below) when I posed some questions to them.
Vice Society would not directly confirm or deny using Zeppelin ransomware (a claim that had been reported in other media coverage). What they did say was that they use software that everyone can find on the internet. And from what they stated, Waikato’s security would probably be characterized as lacking. In the following exchange, they are indicated by “V:”
D: Earlier media coverage reported that the attack was on May 18. When did you first access their system (or how long were you in there before you triggered the encrypting)?
V: 2 days for preparing and 1 day for attack
20 minutes for escalation and 2 days to prepare attack (you can include in prepare stealing documents).
I think that’s the answer for your question [about how good their security was]
Vice Society also claimed that that the data they accessed and exfiltrated came from several servers, and, consistent with what they had told me after dumping data from another victim, they claim that the Waikato data that they dumped on their site constitutes all of the data that they had exfiltrated from Waikato.
This was not DataBreaches.net’s first communications with Vice Society, as I had contacted them previously about another target of theirs. I had asked them some background questions at that time about whether they had any exclusions as to whom they might attack. They had answered me, “We will NOT attack companies working with animals (zoo, veterinarians etc.).” They added that Medical and Education organizations are “our favourite.”
In this later email exchange about Waikato, I followed up:
D: You had mentioned that you like going after medical and education sectors […] BUT you left cancer patients being impacted on their care. Do you have any concerns or regrets at all about affecting patients?
V: We didn’t left them. We really tried to contact them and offer help. We even wrote to local news. Our opinion if they care about their patients they could pay, restore and after that improve their systems. They decided to make a show blaming “low-life hackers”. We think it is only their fault that they haven’t protected their network and their patients data.
We wrote that files were encrypted and documents were stolen. We share price only when they contact us. For Waikato DHB price was much cheaper then they spent for rebuild but they decided to ignore us. They didn’t recovered. They rebuilded their network and data.