28 July 2022
Scott Miller
Email:
[FYI request #17423 email]
Tēnā koe Scott,
Your Official Information Act request, reference: Request for official information relating to
commissioner and FRAC meeting minutes on cyber security
We refer to our letters dated 24 January, 2 June and 12 July 2022 in response to your information
requests received on 7 December 2021 and 17 May 2022 made under section 12 of the Official
Information Act 1982 (OIA). We appreciate your patience while we considered your requests during
this extraordinary time of change for the health sector and under extremely trying times during winter
for the Waikato District Health Board whilst we transitioned to Te Whatu Ora Health New Zealand.
You wil recall that on 24 January 2022 Waikato DHB provided its decision on your request dated 7
December 2021. On 2 June 2022 we advised that noting some time had passed since your request
of 7 December, and acknowledging the public interest, we were giving further consideration to our
earlier decision to withhold 9 items in full in response to your earlier request of 7 December 2021.
We advised that would consider this in conjunction with your more recent request dated 17 May
2022. We now provide our decision on your requests as follows:
1. Decision on 9 items withheld on 24 January 2022
Te Whatu Ora Health New Zealand Waikato is commit ed to being open and transparent to the
fullest extent possible. We acknowledge the public interest in disclosing information about the
May 2021 cyber security incident to promote transparency and accountability of decision-making
and we continue to update our website with information
https:/ www.waikatodhb.health.nz/information-system-update-service-and-clinic-latest/
With that said, we are commit ed to protecting its patients, staff and community from any further
harm. In circumstances where cybercriminals continue to monitor for network vulnerabilities,
withholding certain information is necessary to avoid any prejudice to measures protecting the
community’s health and safety and to prevent the use of official information for improper gain or
improper advantage. Further, this information forms part of important criminal and regulatory
investigations into the Incident which are not yet concluded.
With these considerations in mind, we have decided that withholding this information is
necessary to avoid prejudice to measures protecting the health or safety of members of the
public, avoid prejudice to the maintenance of the law, prevent the use of official information for
improper gain or improper advantage, and maintain legal professional privilege.
For these reasons, this request is refused under the exception set out in section 18(a) of the OIA,
on the basis that there is a good reason for withholding the reports with reference to sections
9(2)(a), 9(2)(ba)(i), 9(2)(c), 9(2)(e), 9(2)(g), 9(2)(h) and 9(2)(k) of the OIA. Withholding the
reports is also necessary pursuant to section 6(c) of the OIA to avoid prejudicing the maintenance
of the law, including the prevention, investigation and detection of privacy-related offences.
2. Decision on your request dated 17 May 2022 for
“..copies of the minutes of all Commissioners' and Finance Risk and Audit Committee
meetings, dated since the beginning of December 2021. Specifically, the sections of these
minutes that deal with the topics of:
a. The Waikato DHB ransomware attack and its aftermath
b. Digital systems, digital investment and cybersecurity at Waikato DHB generally”
This request is refused under the exception set out in section 18(a) of the OIA, on the basis that
there is a good reason for withholding the reports with reference to sections 9(2)(a), 9(2)(ba),
9(2)(c), 9(2)(h), 9(2)(j) and 9(2)(k) to avoid prejudice to measures protecting the health or safety
of members of the public, maintain legal professional privilege, and prevent the use of official
information for improper gain or improper advantage. Withholding these documents is also
necessary pursuant to section 6(c) of the OIA to avoid prejudicing the maintenance of the law,
including the prevention, investigation and detection of offences.
We understand that you have made a statement regarding the Ministry of Health’s public disclosure
of documents on the response to the incident af ecting Tū Ora Compass Health. However, critically,
the scale and risk profile of the Tū Ora Incident and the Incident impacting Waikato DHB is not
comparable.
Firstly, the Tū Ora Incident involved no positive evidence that unauthorised access to patient data
occurred. Secondly, the type of patient enrolment data compromised in the Tū Ora Incident was not
on the same scale. In the Tū Ora incident, doctors’ health information records were not impacted.
Impacted information was primarily limited to an individual’s National Health Index number, name,
date of birth, address, ethnicity, gender and GP practice.
However, the Waikato DHB Incident included more sensitive categories of personal information
relating to staff and patients. Waikato DHB has been in ongoing consultation with the Office of the
Privacy Commissioner on this issue. Further, the context of the Waikato DHB Incident attracts a
higher risk profile, noting that information was actually exfiltrated in this Incident, the cybercriminal
engaged with the New Zealand media and published stolen data on the dark web. Waikato DHB has
taken steps to prevent any further use or access from occurring (including by obtaining a High Court
injunction).
We have also engaged with the National Cyber Security Centre and the New Zealand Police to assist
with their investigation into the Incident.
We appreciate your patience while we have considered your request. If you are not happy with this
response, you have the right to make a complaint to the Ombudsman. Information about how to do
this is available at
www.ombudsman.parliament.nz or by phoning 0800 802 602.
Nāku iti noa, nā
Garry Johnston
Acting Executive Director: Digital Enablement
Waikato District
TeWhatuOra.govt.nz