Some health services in the Midland region were hit by hackers last week. 

The Pinnacle Midlands Health Network reported a breach on 28 September, impacting some of its IT services in the Pinnacle group regional offices and general practices under Primary Health Care Ltd. across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.

In a statement on Tuesday, the network, which serves about 450,000 patients in 87 practices, said the affected IT was "immediately taken offline and contained." 

However, malicious actors had already accessed sensitive information from the system, "which could include commercial and personal details."

"At this point in time, we cannot confirm what specific data or information may have been accessed, but we are working through a process to better understand that," said Justin Butcher, CEO of Pinnacle Inc., the parent company of the network. 

He added that knowing which data were accessed "will take time."

Pinnacle said it does not hold information like GP notes but it does maintain personal information, such as names, addresses and National Health Index numbers.

Meanwhile, Butcher said they have already put contingency plans in motion and launched an in-depth investigation alongside the police, Te Whatu Ora, and other relevant government agencies. It has also notified the Privacy Commissioner of the incident. 

Pinnacle has also engaged IDCARE, the national identity and cyber support community service, which provides free specialist support to individuals who are believed to be at high risk due to the exposure of their information. The service has advised current and former patients of Pinnacle to "remain vigilant" about the risk of scams.

While the affected practices remain operational, patients may experience delays when contacting some practices, Pinnacle advised. 

"We know that people will rightfully be very concerned about this, and we want to ensure the public that Pinnacle takes our role as stewards of people’s information seriously, and security is of utmost importance to us," Butcher assured patients.

In a separate statement, Te Whatu Ora maintained that the Pinnacle cyberattack is "no indication of a threat to Te Whatu Ora networks" as its system is separate from Pinnacle. 

"While Pinnacle is a private entity, Te Whatu Ora is assisting the organisation in their investigations and supporting their efforts to comply with relevant cybersecurity best practices and policies," it said.

THE LARGER TREND

The cybersecurity of healthcare services in the Midland region seems to remain vulnerable even after a year since its last hacking incident. On 18 May last year, the former Waikato District Health Board suffered a full outage of its IT system following a ransomware attack. Hackers claimed to have released sensitive patient information from the DHB on the dark web.