Cyber attack on health provider Pinnacle a 'wake up call'

A top doctor is calling a cyber attack on a major primary health provider that has compromised the details of potentially thousands of patient details a “wake up call to the sector”.

Health workers are scrambling to deal with a cyber attack which has compromised details kept by Waikato and Bay of Plenty health provider Pinnacle, which operates dozens of GP practices.

Director of the Royal New Zealand College Dr Bryan Betty said the cyber attack was concerning, but he was reassured the Pinnacle was taking the appropriate steps to deal with the incident – and had been transparent.

He said the attack mostly targeted “topline data” and didn’t appear to impact patient records.

“They will obviously need to do more work to unpack that.”

But, he said this should come as a “wake up” to the sector.

In a statement Pinnacle said services impacted include the Pinnacle group regional offices, and Primary Health Care Ltd (PHCL) practices across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.

The incident took place on Wednesday, September 28, and the affected IT was immediately taken offline and contained.

Chief executive Justin Butcher said that while investigations are still underway it appears that before the breach was notified and the IT was contained the malicious actors accessed information from the system, which could include commercial and personal details.

In June, Health Minister Andrew Little promised an inquiry into the Waikato DHB hack.

“At this point in time, we cannot confirm what specific data or information may have been accessed, but we are working through a process to better understand that. This will take time, however, we believe it is important to disclose this incident now, so we can support those people who have potentially been impacted.

“Our systems flagged the incident with us, and we were able to move swiftly to take the affected IT offline. We engaged external support partners and launched an in-depth investigation alongside relevant authorities. We have also laid a complaint with the police and are working alongside Te Whatu Ora and a number of other Government agencies.

“We know that people will rightfully be very concerned about this, and we want to ensure the public that Pinnacle takes our role as stewards of people’s information seriously, and security is of utmost importance to us. Unfortunately, malicious cyber activity is a constant threat and New Zealand is not exempt from this.”

He said they have put contingency plans in place and are working to understand exactly what happened and who has been impacted.

The Privacy Commissioner has also been notified.

Pinnacle does not hold information such as GP notes, but does hold personal information such as names, addresses and National Health Index (NHI) numbers.

The affected practices are still providing services, and people can continue to seek care as normal. However, patients may experience delays when contacting some practices. So, if you are needing care, please call your doctor or medical centre as you normally would.

A freephone support line will be set up on Tuesday for people wanting further information.

Minister aware

Health Minister Andrew Little confirmed just before noon that there had been a cyber attack against Pinnacle Health.

Little said he and the ministry expected Pinnacle to release details about the attack on Tuesday afternoon. He said patient data has been taken.

“I understand patient data that has been exfiltrated, but it is for Pinnacle to front up and explain to its patients how that happened,” he said.

National health body aware of attack

Te Whatu Ora – Health New Zealand said in a statement it was working to support Pinnacle.

The two entities have seperate systems and there was no indication of a threat to Te Whatu Ora networks.

Te Whatu Ora said it was first notified of the incident on Wednesday 28 September 2022, and Pinnacle quickly acted to take all affected systems offline. This includes Pinnacle group regional offices, and some Primary Health Care Ltd (PHCL) practices across Tairāwhiti, Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.

Te Whatu Ora have a $74.5m, three-year cyber security uplift programme of work to improve cyber security across the sector including working with PHOs on improving cyber security.

As a local health care network, Pinnacle has contingency processes in place which allow them to continue providing services during the response to this incident.

He said the attack mostly targeted “topline data” and didn’t appear to impact patient records.

“They will obviously need to do more work to unpack that.”

But, he said this should come as a “wake up” to the sector.

Te Whatu Ora Waikato – formerly Waikato DHB – was attacked by hackers in 2021 and Wellington PHO Tū Ora Compass Health suffered a cyber attack in 2019.

Betty said hackers were getting more sophisticated and system upgrades should be considered constantly.

‘Server error’

On Thursday last week, a nationwide server system error prevented general practitioners from answering calls and accessing patient management systems across the country.

The issue appeared to affected practices within the Pinnacle primary care group. Pinnacle Midlands Health oversees more than 80 GP centres in the central North Island.

In a statement, Pinnacle chief executive Justin Butcher said the Pinnacle Midlands Health Network experienced an incident impacting IT services delivered to Pinnacle group regional offices and Primary Health Care Ltd practices.

Butcher said essential services remained operational but patients could experience delays when contacting some practices.

“We have engaged external support partners and investigation is ongoing. As we are in the early stages of identifying what has happened, we are unable to provide any further information at this time,” Butcher said.

On social media, practices were reporting systems coming back online just ahead of 11am.

Hamilton East Medical Centre advised at the time the delays were likely to affect phone services and prolong wait times.

Director of the Royal New Zealand College Dr Bryan Betty confirmed the server issues affected practices around the country but were “quickly resolved”.

Phishing trip a possibility

Aura Information Security cyber security expert Alastair Miller said it wasn’t immediately clear from the initial information about the incident whether Pinnacle Health had experienced a ransomware attack or some other breach.

One possibility was that a criminal had managed to access its systems through a phishing attack by tricking an employee into releasing their online credentials, he said.

“Certainly it looks like someone managed to get access to Pinnacle Health’s networks and was able to pull out data,” Miller said.

Patients should brace themselves for their medical information being dumped on the dark web or on the web itself, he said.

“The worry is if it has compromised credentials of a clinical health person who then had access to wider health networks,” he said.

“They could then have logged into those systems and got data out of them. The worry is how wide the breach may end up going.”

Nation’s biggest health hack

In May 2021 the then-Waikato DHB was the subject of an attack by hackers.

It left IT systems at Waikato Hospital and its satellites crippled, ham-stringing health care across the region for more than a week and causing ongoing problems long after.

Some of the material appeared on the internet after the government refused to pay a ransom.

The list of documents suggested it included folders containing patient information as well as information about employees and the DHB’s financial affairs.

The IT systems of the DHB, which is the fifth-largest in the country and provides care to more than 430,000 people, were rendered inaccessible.

At the time Health Minister Andrew Little said cyberattacks were “the reality of the world”, noting Ireland’s health service had also suffered a huge ransomware attack days before Waikato DHB discovered it had been attacked.