Kia ora koutou,

The privacy landscape in New Zealand has been dominated recently by one of the worst ransomware attacks to affect our public sector. On 17 May, the Waikato District Health Board reported a cyberattack debilitated its IT systems, crashing phone systems and computers, causing the cancellation of elective clinical services across several regional hospitals and affecting the rollout of the COVID-19 vaccination program. The DHB only recently began restoring its systems and servers. Amid these technical challenges, it became apparent the attackers seized health and other personal information about breach victims. Several media agencies were contacted by a group claiming responsibility for the attack via an email with attached copies of patient information. The DHB confirmed the information was genuine and commenced efforts to assess the impact and notify affected patients.

The attack also revealed potential weaknesses in the New Zealand public health sector’s approach to cybersecurity, prompting the privacy commissioner to call for all DHBs in the country to take steps to address these. The commissioner noted the Ministry of Health conducted a stocktake of health IT systems in 2020 and warned if any of these agencies had not taken steps to address deficiencies identified in the review, he may issue compliance notices under the Privacy Act 2020 and follow up with prosecutions if necessary. In a later media release, the commissioner also made clear his expectations on anyone who received health information about breach victims, telling them to do the right thing, including inform the Ministry of Health and the Police.

While 2020 was the year of the pandemic, 2021 looks to be the year of the data breach. The Waikato DHB attack follows a previous major breach affecting the Reserve Bank of NZ, in which hackers used data-sharing platform Accellion to access information, including personal and commercially sensitive information the RBNZ obtained from banks and others. At the center of another breach affecting NSW Health, Accellion reported 6 June that information about its patients was accessed in a global attack on the system. The NSW Police Force and Cyber Security NSW are now scrambling to assess whether any other NSW government agencies were affected by the attack.

With the threat landscape in the region steadily increasing, now is the time to take steps to ensure that privacy (and security) awareness is strong within your agency. On 17 June, IAPP’s Auckland KnowledgeNet Chapter will host a session with Heartland Bank Head of Information Security Chris Hails, EY Oceania Cyber Advisory Partner Nicola Hermansson, Behavioral Scientist Renee Jaine and Fonterra Cultural Change Manager Vivian McIntosh discussing ways to effectively increase privacy awareness. The session will be offered virtually for anyone in the region who can’t attend in person. On 6 July, you can join the Wellington KnowledgeNet Chairs (in person or virtually) to hear about the Digital Identity Trust Framework, a regulatory framework that will set out rules for the delivery of digital identity services.

Finally, this is the last chance to submit a proposal to speak at the IAPP ANZ Summit in November, with the call for proposals closing 13 June. Topics of interest to our local audience might include the current review of the Australian Privacy Act, privacy in the wake of COVID-19, developments in the area of open data and updates on experiences of complying with NZ’s new Privacy Act 2020. Once all proposals are in, IAPP’s programming team, with input from the ANZ Advisory Board, will start pulling together an epic program of sessions for our planned in-person event. Watch this space for updates on the program.

In the meantime, enjoy the digest and stay alert.

Ngā mihi nui.