The privacy commissioner says the sensitive Waikato DHB data dump onto the dark web is of "great concern".
Privacy Commissioner John Edwards. Photo: Supplied / Office of the Privacy Commissioner
Swathes of staff and patient information was published online yesterday following last month's ransomware attack that crippled five hospitals' IT systems.
The information on the dark web includes bank details, drivers' licences, passports, home addresses, medical reports and other private records.
Privacy commissioner John Edwards said the data breach was serious.
"This will be a matter of some anxiety, I think, for people in the Waikato who are affected by this," Edwards said.
Despite that, his office was not investigating, he said.
"I don't think it's the right time for us to be engaged in any kind of forensic examination while the DHB is seeking to restore its systems and address the harm that's been done to those individuals."
The commissioner said he had not seen any of the documents posted online, but his office had seen screenshots of a directory of sensitive files.
Edwards could not confirm whether it was New Zealand's largest ever privacy breach but said it was "very significant".
"The DHB is in the process of examining the extent of the dump that has been made to that website, so it's hard to judge."
It was not yet known how many people had their information put onto the dark web.
In a statement on Tuesday, the Waikato DHB said it would notify affected staff and patients "as appropriate".
Edwards said that should be done as soon as it was "reasonably practical".
"If the scale of the dump is such that, you know, it's not practical to get around every individual, then they may need to consider doing some sort of public notification process," he said.
Potentially, the private information of hundreds of patients and staff had been posted online.
Edwards was concerned the dumped information could be exploited.
"People could experience identify theft, there could be sensitive information which people expect to be kept private then publicised.
"The DHB just needs to be vigilant, keep an eye on the distribution of that information, taking all efforts to have it removed from that site if that's possible, and offering support to the affected individual."
When RNZ asked what could be done about the information being online, the commissioner said "I don't know".
"That's for the DHB to examine. It may be that little can be done, but we'll just have to leave it to them."
Waikato DHB would not be fined for the data being hacked and published, but it may face liability if harm was caused, Edwards said.
"If people experience harm as a result of this and are able to show that that was a result of some failure of due diligence by the DHB, then those people could be entitled to compensation."
Such harm could be debts incurred in someone's name as a result of identity theft, or if the information published caused significant humiliation, distress or injury to feelings, he said.
The DHB said it was working closely with the privacy commissioner to ensure it meet its obligations to notify both patients and staff whose data may have been affected.
