“Treat the information as you would expect others to treat yours if it were disclosed,” Privacy Commissioner John Edwards said.

The hackers who took “sensitive personal” patient and staff information from Waikato DHB are likely to let more out, the Privacy Commissioner says.

A ransomware breach struck the district health board on Tuesday, 18 May.

Some patient, staff and other personal information has already been sent to several New Zealand media organisations, a statement from Privacy Commissioner John Edwards said.

Stuff had received information in an email from someone claiming to be behind the hack and passed it to police.

Edwards is advising people to do the right thing if they are sent or find personal information which could be from the breach.

“The information that has been taken is likely to be sensitive personal information. This is likely to be causing a great deal of anxiety to the people affected.

“It is vital that people respect the personal information of others,” he said. “Treat the information as you would expect others to treat yours if it were disclosed to you.”

The missive from the Privacy Commissioner comes a day after he said Waikato DHB should be monitoring the dark web to make sure hacked files didn’t appear.

It's a complex attack that won't be resolved fast but more information on timeframes should be available soon, Waikato DHB chief executive Kevin Snee said in the May 26 media conference.

His office wasn’t investigating the DHB to determine liability, he said, but he was keeping a close eye on the situation.

He also warned other DHBs to act on any identified holes in their IT security systems, or risk leaving themselves open to prosecution if things went wrong.

That was prompted by a report on a 2020 health IT stocktake, and a subsequent warning to the Government and DHBs that systems were vulnerable to “significant” cyber threats.

Privacy Commissioner John Edwards has said he's keeping a close eye on Waikato DHB's situation.

What to do if you find or receive personal information

Keep it isolated and secure

Inform the Ministry of Health and NZ Police, who can can give advice on whether to delete the information

Source: Privacy Commissioner