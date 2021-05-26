Wednesday, 26 May, 2021 - 17:21

Privacy Commissioner John Edwards is warning DHBs to address any security failings identified in a Ministry of Health stocktake of health IT systems in 2020.

Mr Edwards says his office has been notified of the Waikato DHB ransomware breach and is monitoring the situation closely while providing advisory support.

"We are aware that some patient, staff, contractor and other personal information has been distributed to news media organisations by unknown individuals. Our expectation is that the DHB would notify and offer support to the individuals identified in that information without delay. We would also expect that the DHB would be actively monitoring for potential host sites on the Dark Web or elsewhere."

Mr Edwards says his office is not investigating to determine any liability at this stage but if a DHB is found not to have taken adequate security measures to protect its information systems, it could be liable to any staff member, contractor or patient who suffers harm as a result.

"We understand from media reports that other DHBs may be aware of security vulnerabilities in their systems as a result of the audit undertaken last year.

"Our expectation would be that they should have taken, and if they have not should now take, steps to act on any deficiencies in security.

"If we find that any DHB does not have adequate security, we may issue compliance notices under the Privacy Act 2020, and if necessary, follow up with prosecutions," Mr Edwards said.