link to page 2 link to page 2 link to page 2 link to page 3 link to page 3 link to page 3 link to page 4 link to page 4 link to page 6 link to page 9 link to page 10

CYBER SECURITY EVENT

The issue

A cyber-attack has affected Waikato DHB information systems. Health information held by Waikato
DHB may have been accessed as a result of illegal activity as part of the ransomware attack. Other
illegal cyber activity may remain a current threat for NZ health services. This plan guides the DHB’s
actions in providing information to the public and media.

Background

At 0240 hours on 18 May 2021 Waikato DHB experienced an unauthorized cyber intrusion to its
computer systems. Systems have been severely adversely affected. Information held by the DHB,
including personal health information may have been accessed during the incursion.

We know that the characteristics of a significant health event are:
•  high demand for information
•  variable quality of information
•  high public sensitivity

This reinforces the need for a well-managed response underpinned by good planning – with
appropriate resources and support. This communications plan takes a principle-based approach as in
any significant event information can change rapidly.

The current plan is pitched at a high level with some limits on detail due to information is still being
provided. More detailed information around specific issues and key messaging will be worked on
separately. We have aimed for both comprehensive planning and flexibility. The plan outlines our
current approach – but can be promptly brought forward if needed to manage an uncontrol ed
release of information. Similarly, key messages can be easily fashioned into a release at short notice.

Objectives

The DHB aims to act to build and maintain trust in publicly funded health services.

We’ll do this by providing timely information and advice to the public, media and the sector; linking
in with other Government and health agencies; and supporting those affected.

We will proactively and transparently keep all Waikato DHB internal and external stakeholders
informed of the current Cyber Security Event in a clear, consistent, and accurate way in order to:
•  To ensure patient safety and reduce clinical risk while operating without an IT network by
providing staff timely information they need to continue to operate effectively in this
environment.
•  To reassure the public that Waikato DHB continues to provide excellent patient care and
patient safety remains our upmost priority, protecting the reputation, level of trust, and
positive engagement with publicly funded health services.
•  To keep patients and their whānau informed regarding any changes to their care.
Communications Plan _DRAFT 23 May 2021

2 of 11

CYBER SECURITY EVENT

  •  To provide Waikato DHB partners and providers information they need to continue to work
collaboratively with us to provide excellent patient care and services.

Roles and responsibilties

The DHB has been working closely with the Ministry, National Cyber Security Centre, Privacy
Commissioner and health agencies to ensure clarity on roles and responsibilities.

•  Ministry of Health - health system response and assurance Dr Ashley Bloomfield, Director-
General of Health
•  Waikato DHB - issue ownership and technical response CEO Kevin Snee

The below roles and responsibilities are specific to the communications roles within the existing
Waikato CIMS structure for this event.
  Strategy and
Content
Coordination
Media Liaison
Approval
Approach
Generation
and Oversight

Chris Lowry

Kevin Snee

*temporary supporting resource in italics

Audiences

Communications on this issue will be targeted at specific audiences: There are five primary
audiences for information provided by the Ministry:
•  the public – including particular groups that may be more obviously affected and ensuring
they’re aware of support offered
•  the health sector –providing sufficient timely information to allow them to be able to
perform their jobs appropriately in relation to the issue
•  Ministers and Government – primarily the Minister and Associate Ministers of Health, other
related Ministers, and DPMC.
•  other health agencies, particularly those also affected by this issue.
•  DHB staff – so they are informed about the DHB’s role, the action being taken and its impact,
so they can either assist with the response, or work to manage its effect on the sector

Approach

Generally our plan is primarily focused on the public release of information through the media, DHB
website and social media.
Our primary approach is to communicate in ways that build and maintain trust. To do this we will be
guided by the fol owing:
•  Announcing early – providing information promptly and regularly.
•  Using credible spokespeople - we will use key spokespeople within the DHB, Ministry and
health sector and share messaging
•  Being accountable and transparent. We wil  be candid about what we can and can’t say,
describe the process we are fol owing to provide answers to questions we can’t currently
answer; and use appropriate channels to achieve our aims.
Communications Plan _DRAFT 23 May 2021

3 of 11

CYBER SECURITY EVENT

  •  Listening and responding– ensuring a good feedback loop with Healthline; social media; and
sector feedback to assist in responding appropriately.
•  Refining plans. As issues and concerns arise, we will be refining our response and
communicating the appropriate actions taken.
•  Our communications will emphasise our efforts to put people and their health first – and the
importance of keeping secure their health-related information.

Tactics

Due to the restrictions we have using digital platforms and the need to keep communications
consistent and clear we will be distributing regular proactive and reactive updates through the
following channels:

Audience -  Internal
Staff
•  Email
•  Posters/whiteboards
•  Handouts (paper notes, etc)
•  Text messaging
•  Microsoft Teams
Audience - External
Ministers and
•  Ministerial briefings and OIA responses
Government
•  Phone (with key relationship manager)
•  Face to face and digital meetings
Key stakeholders and
•  Phone (with key relationship manager)
partners
•  Text messaging (TBC)
•  Face to face and digital meetings
The wider health sector
•  Digital platforms (including websites and social media
platforms)
•  Email
•  Phone (with key relationship manager)
The general public
•  Media releases
•  Digital platforms (including websites and social media
platforms)
•  Contact centres who are receiving inbound calls for the
Waikato DHB
•  Through staff during attendance at services

Frequency of proactive messaging is as follows:

•  Staff updates: Twice daily at 11am and 5pm (following the 7am and 3pm CIMS meetings)
•  Stakeholder updates: Once daily at 1pm
•  Media/public update: once daily at 1pm

Post event communications evaluation

Communications Plan _DRAFT 23 May 2021

4 of 11

CYBER SECURITY EVENT

Communications Plan _DRAFT 23 May 2021

5 of 11

CYBER SECURITY EVENT

Appendix 1: FAQs
WHAT HAPPENED?
At 0240 hours on 18 May 2021 Waikato DHB experienced an unauthorized cyber intrusion to its
computer systems. Systems have been severely adversely affected. Information held by the DHB,
including personal health information may have been accessed during the incursion.

HOW HAS WAIKATO DHB BEEN AFFECTED?
The DHB is continuing to provide services through using manual and paper based systems while the
IT services are restored. Reduced services are available, however, without access to systems, the
support processes are manual, and activities are taking longer with continued disruption to business
as usual ‘flow.’
Waikato DHB is keeping the public informed of the services available, the cyber- attack and the steps
individuals can take to reduce the risk of scams or other illegal activity.
Recovery of IT systems is being planned for systems to be isolated, secured, and restored.
Patient safety and wellbeing remains the DHB’s number one priority.
HAS MY PRIVACY BEEN BREACHED?
Unauthorised cyber access to digital information has now been identified as potentially affecting
information held by the DHB. At this point we have not seen any indication that information has
been taken, however we remain open to that possibility. We may never know whether information
was taken.
We are in contact with the office of the Privacy Commissioner and will follow their advice should it
become clear that there has been a privacy breach.
HOW IS THE INVESTIGATION GOING?
The unauthorised access is a crime and has been referred by the DHB to the Police. A careful
forensic investigation is well underway. While this is a complex and challenging investigation, good
progress is being made. As this is a criminal matter, we are unable to comment any further.
CAN I STILL ACCESS THE HOSPITAL OR CLINICS?
The DHB is continuing to provide inpatient, surgery, outpatient and Emergency Department services.
Patients for some services which are more reliant on computer based systems such as radiology are
being referred as appropriate to other services and other DHBs.
Communications Plan _DRAFT 23 May 2021

6 of 11

CYBER SECURITY EVENT

To avoid unnecessary travel to Waikato Hospital from our rural areas, we are encouraging all
patients check our website or to first call to confirm their appointment is still going ahead.

It is necessary that our Emergency Departments remain for emergencies only at this time. If you
need immediate or urgent help, please continue to call 111. If it is not an emergency, please phone
Healthline on 0800 611 116, visit your GP or local urgent care centre.
HOW CAN I FIND OUT WHAT’S HELD ABOUT ME?
We can’t at this stage provide all the information about individuals that was on the IT system due to
the way the information was col ated and reported. But we can say what types of information was
held. The Ministry and DHB continue to investigate whether this information, at an individual level,
can be realistically provided. Secure information exchange between health agencies is critical for the
provision of modern, quality and evidence-based healthcare.
WHO IS TO BLAME?
The key focus to date has been on ensuring the cyber security risks are managed. There remains
ongoing work to look how we may limit the chances of this occurring again.
A full review will take place in the future.
WHY ARE THERE SO MANY INSTANCES OF INFORMATION BREACHES OF INFORMATION?
CERT NZ the Government’s Computer Emergency Response Team received close to 1200 reports in
the three months to 30 June 2019 (the bulk of them being scams or fraud). The health sector
continues to strengthen its cyber security.
HAS THIS IMPACTED THE DELIVERY OF THE COVID-19 VACCINE IMMUNISATION PROGRAMME?
COVID-19 vaccine delivery is continuing as planned. Communication regarding when you are eligible
for your vaccination will continue to come directly from the MOH and our 0800 line is operational.
Due to high volumes, we ask that you only ring this number if you have been contacted by the DHB
to book your appointment. If you have received a link to make your booking online, please attempt
to use this method to book in the first instance.
WHAT’S BEING DONE FOR THOSE AFFECTED
Advice to anyone concerned about these incidents is to contact Healthline.
Advice on keeping yourself safe from scams and to reduce the risk of misuse of your identity or
information is provided by Netsafe https://www.netsafe.org.nz/scam-tips/ or CERTNZ
https://www.cert.govt.nz/individuals/guides/stepping-up-your-cybersecurity/cyber-security-social-
media/
That advice includes:
• watch out for scams or phishing by phone, text or email
Communications Plan _DRAFT 23 May 2021

7 of 11

CYBER SECURITY EVENT

• be cautious about clicking on links and attachments in test or email
• don’t give out personal information without checking on the company asking and then
contact them via another method to verify the authenticity of the request.
HOW ARE THE STAFF HOLDING UP?

The efforts of Waikato DHB are outstanding, particularly given the ongoing impacts of the COVID-19
pandemic as well. People are taking good care of each other and spirits remain high.

HOW MUCH WILL THE RECOVERY COST?

The total cost for recovery is still being established. Fortunately, Waikato DHB is covered by
insurance for this event.

Communications Plan _DRAFT 23 May 2021

8 of 11

CYBER SECURITY EVENT

Appendix 2: Key Messages

•  Waikato DHB’s number one priority remains the safety and care of patients. Staff in all areas
of the organisation are focused on continuing to provide excel ent health services.

•  The organisation is working as quickly and thoroughly as possible to return to business as
usual. In the meantime business continuity plans are in place and working wel  and our
dedicated staff are doing a great job of working in this environment.

•  Patient and staff privacy are of upmost importance to the DHB. At this stage there is no
evidence that patient or staff information has been breached, but we will continue to work
with external experts and are vigilant in our investigations.

•  As the matter is the current subject of an ongoing, challenging and complex criminal
investigation with the NZ Police; Waikato DHB is unable to go into too much technical detail
of the cyber security event.

•  We are committed to to keeping al  patients and their whānau informed with any changes to
their care. All changes to services, including what appointments patients can expect to go
ahead, are available on the Waikato DHB website. To avoid unnecessary travel to Waikato
Hospital from our rural areas, we are encouraging all patients to check our website or to first
call to confirm their appointment is still going ahead.

•  For those needing to contact the DHB, the main number for external enquiries (0800 276
216) and the main DHB/hospital number (07 839 8899) are operational, although high
volumes may mean some waiting at the moment. Because of the high demand, we ask those
calling the DHB or hospital services to keep trying if their call drops off.

•  It is necessary that our Emergency Departments remain for emergencies only at this time. If
you need immediate or urgent help, please continue to cal  111. If it is not an emergency,
please phone Healthline on 0800 611 116, visit your GP or local urgent care centre.

•  Waikato DHB is working closely with experts from across government and private providers
to fix the current issues and plan for the on-going recovery.

Communications Plan _DRAFT 23 May 2021

9 of 11

CYBER SECURITY EVENT

Appendix 3: Key contacts and spokespeople
Subject Matter
Contact Name

Communications Plan _DRAFT 23 May 2021

10 of 11

CYBER SECURITY EVENT

Appendix 4: Scenario planning

Below is an outline of each of the potential scenarios being planned for, should one be discovered
during the investigation and recovery.

Scenario 1:
Scenario 2:
Scenario 3:
Scenario 4:
It is unclear
We have clear
We have some
We have
whether any
evidence that
indication that
evidence to
staff or patient
some data has
patient/staff
determine
data has been
been breached
information has
whose privacy
breached and
but we are
been breached
has been
we may never
unable to
but cannot
breached and
have conclusive
determine that
conclude whose
what
evidence either
that
data has been
information this
way.
information
affected on an
was.
individual level.
included.

Communications Plan _DRAFT 23 May 2021

11 of 11

Document Outline