Waikato DHB failed OIA requirements over cyber security breach – Ombudsman – RNZ

waikato-dhb-failed-oia-requirements-over-cyber-security-breach-–-ombudsman-–-rnz

Were you aware that someone could be secretly watching you or your child with your webcam right now? Is it worth taking such a risk? camDown can help stop them!

A district health board has failed to meet its requirements under the Official Information Act, prompting intervention from the chief ombudsman.

Waikato Hospital

Waikato District Health Board was paralysed by a cyber security breach in May.
Photo: RNZ / Simon Rogers

Waikato District Health Board largely ignored a series of questions from Local Democracy Reporting in June regarding the cyber security breach that paralysed the DHB in May, forcing the postponement of surgeries and relocation of some cancer patients.

Hackers stole personal patient and staff information during the breach and later dumped swathes of data on the Dark Web for anyone to access.

Instead of answering questions about the attack and what might have led to it, the DHB logged them through the Official Information Act (OIA), which allows it 20 working days to respond.

However it did not respond in the timeframe and did not seek an extension, prompting a complaint from Local Democracy Reporting to the Ombudsman's office on 27 July.

On 2 August, outside the response timeframe, the DHB sent a letter to Local Democracy Reporting dated 29 July saying it was "keen to be as transparent as possible".

"We are aware that there is a public interest in the release of information to promote accountability and procedural fairness in government together with robust decision-making," the letter from hospital and community services executive director Chris Lowry said.

"We also understand that there is significant public interest in ensuring the safety and security of patients, staff and the Waikato community."

Lowry went on to say investigations into the incident were ongoing.

"Waikato DHB is working with the National Cyber Security Centre, the Government Communications Security Bureau and the New Zealand Police to remove the data and avoid further disclosure," she said.

"Unfortunately, predicting what cyber criminals will do with the data is problematic and preventing further disclosure is an ongoing and challenging task.

"As a result, there is a significant public interest in ensuring that investigations into the disclosure are not prejudiced while they are continuing."

She said the DHB had been focused on restoring systems for the safe delivery of healthcare, and as the restoration was ongoing the DHB did not have access to all of its information systems.

Because of that she said the DHB would extend its timeframe for a response to 28 October.

However, chief ombudsman Peter Boshier investigated the case and did not agree with the DHB's approach.

No caption

Peter Boshier.
Photo: RNZ /Dom Thomas

In a letter to Local Democracy Reporting on 21 October, Boshier said decisions over responses to the questions asked on 17, 23, 24, 28 and 29 June and 26 July, should have been made and communicated by the DHB no later than 15, 21, 22, 26 and 27 July and 23 August.

"As a result, I have formed the final opinion that there has been a failure to meet the requirements imposed by the OIA," he wrote.

Boshier recommended the DHB:

  • Make decisions and communicate them to Local Democracy Reporting as a priority;
  • Review its procedures for responding to official information requests; and
  • Remind its staff of their obligations under the OIA.

He reported the opinion to Minister of Health Andrew Little.

Local Democracy Reporting asked Waikato DHB to comment on Boshier's finding.

"The DHB takes its obligations under the Official Information Act seriously and has a strong record of full compliance," a DHB spokesperson said in a statement.

"The DHB has accepted that it was late in responding to one request received from RNZ during the organisation's recovery period from the cyber outage and issued an apology.

"The DHB interpreted the multiple further requests submitted consecutively by RNZ as amendments replacing the original request and under the Official Information Act informed RNZ of the intended response date of October 28. We accept the Ombudsman's decision that these should have not have been treated this way and will respond accordingly.

"Investigations into the cyber attack are ongoing."

The Official Information Act 1982 allows anyone to seek information from government agencies and the Local Government Official Information and Meetings Act (LGOIMA) 1987 allows the same for councils.

Media Freedom Committee chairperson and New Zealand Herald Head of Premium Miriyana Alexander said a key focus for the committee this year was holding government agencies and councils to account when it came to using the OIA and LGOIMA.

"We decided to tackle it because member newsrooms have been incredibly frustrated around ongoing issues with accessing timely information," Alexander said.

"Examples include even straightforward requests being treated as OIAs, failures to respond by the 20-day deadline and needing to chase overdue responses, and requests repeatedly being moved to other agencies well into the process.

"None of that is in the spirit of the law at all," she said.

"The OIA was a crucial element of a functioning democracy, and in my view it's never been a more vital tool for journalists.

"We are living through a crisis thanks to the global Covid pandemic, and it is important the significant decisions being made by the government that impact all New Zealanders at home and overseas are examined and scrutinised.

"Those decisions traverse health, justice, education - and our very liberties and freedoms and need to be held up to the sunlight."

The committee had met with Boshier to share its concerns.

"The committee will continue to scrutinise this important area of work that our journalists do."

no metadata

Local Democracy Reporting is a public interest news service supported by RNZ, the News Publishers' Association and NZ On Air.

You know, I just wanted to mention that camDown is easy to use, easy to maintain and your family would agree!