Cyber attack expert urges caution
A data expert says it’s likely a valid administrative account was used in the cyber attack of a major primary health provider’s system.
The cyber attack took place on Wednesday, September 28 and has compromised patient details kept by Waikato and Bay of Plenty health provider Pinnacle, which operates dozens of GP practices.
The affected IT was immediately taken offline and contained, but the Pinnacle group regional offices, and Primary Health Care Ltd practices across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato were impacted.
Datacom cybersecurity director Matthew Evetts said though information about the nature of the attack had not been released, it was likely a valid administrative account was used to access the system.
This was because some users reported their devices resetting, raising the first alarm of an attack.
He said these details could have been stolen or bought, but because they were real accounts they were more difficult to pick up.
Chief executive Justin Butcher said on Tuesday that investigations were still underway, but it appeared the ‘‘malicious actors’’ had accessed information from the system, which could include commercial and personal details.
Butcher would not say if any demands had been made from the ‘‘malicious actors’’ and did not know what they would do with the accessed information.
Pinnacle does not hold information such as GP notes, but does hold personal information such as names, addresses, and National Health Index (NHI) numbers.
‘‘At this point in time, we cannot confirm what specific data or information may have been accessed, but we are working through a process to better understand that,’’ he said.
‘‘This will take time, however, we believe it is important to disclose this incident now, so we can support those people who have potentially been impacted.’’
On Wednesday, a spokesperson said the investigation was still in early stages and there was no further information.
In a statement Pinnacle said it ‘‘engaged external support partners and launched an in-depth investigation alongside relevant authorities.
‘‘We have also laid a complaint with the police and are working alongside Te Whatu Ora and a number of other Government agencies.’’
Evetts said stolen personal data was usually stolen to be sold and used for fraud or for gaining more information. The personal information could be leveraged to uncover more information about the person before it was used to extort money out of a person or organisation.
He said patients involved with Pinnacle’s GP centres should, now more than ever, be careful about their online activity.
People should also make sure the person or organisation they were dealing with online was who they said they were.
He said using a password vault was a good way to keep on top of having a unique password that was regularly changed.
Evetts said Pinnacle had done the right thing by enlisting experts to forensically investigate the breach and uncover what was and wasn’t taken.
‘‘They are not saying anything about how it was taken. That is wise because you don’t want to open yourself to more attacks.’’
He said when the extent of the breach was known Pinnacle would need to work with staff and patients to mitigate the fallout of what could be done with the stolen information.
Malware breaches, when someone downloaded something they shouldn’t, were on the decline, he said. But many people and organisations were still falling victim to social engineering cyber attacks – by phishing, phone calls, and texts.
He said people were becoming more aware and careful about their online activity, but attackers were constantly advancing.
Evetts said it was important an organisation’s people, processes and technology were as secure as possible.
It wasn’t just about the online systems, it was also about making sure staff understood why and how to keep safe and that processes were in place to keep information secure.