Hamilton Skin Cancer Centre
Cyber-Incident Statement
11 October 2022
The Hamilton Skin Cancer Centre (HSCC) recently became aware of a cyber-security incident where an unidentified malicious actor gained unauthorised access to a widely used IT platform in the primary healthcare sector and downloaded some data.
As soon as we became aware of the incident, all affected systems were deactivated and we retained the services of leading cyber-security and forensic I.T. advisors to assist us in containing the incident, securing our systems, and commencing a forensic I.T. investigation into what occurred. We are advised that this investigation may take some time to complete.
Interim findings of our investigation so far indicate that some of the data downloaded by the unidentified third party has now been published on the dark web (the dark web is a hidden part of the internet not searchable by the general public using search engines like Google, and requires specialised software and skills to access).
The Privacy Commissioner has been notified about this incident. If members of the public have further concerns, they have the right to complain to the Privacy Commissioner.
Please visit the Privacy Commissioner website for further information about privacy rights and responding to cyber security incidents: https://www.privacy.org.nz/your-rights/your-privacy-rights/ .
Affected images of some HSCC patients
Unfortunately our image storage system was affected, which means the third party may have downloaded image files of some of our patients; for example, close-up images of skin lesions which may include patients’ faces.
We have commenced directly notifying the patients whose images may have been affected. Any HSCC patient who does not receive a notification email or letter from us by Monday 17 October should consider themselves not-affected by this cyber-incident.
As this stage our investigation has not revealed any evidence that personal information such as contact information, bank card or credit card details, email addresses, National Health Index (NHI) numbers, or telephone numbers have been affected, downloaded, or published by the third party.
We sincerely apologise that this incident has occurred and for any stress or anxiety it may cause our patients. We will continue to keep all relevant stakeholders updated on the progress of our ongoing forensic I.T. investigation into the incident, including our system restoration efforts.
What should affected patients do?
Cyber criminals typically seek to misuse information that can be manipulated for financial gain (such as identity documents for identity theft). For this reason, clinical images alone are not useful to a cyber-criminal, therefore there is nothing affected patients need to do in response to mitigate data risk. We fully appreciate however that it will be concerning for some of our patients to learn that their images may have been accessed in this manner.
If affected patients experience personal distress in relation to this matter, we recommend they contact their regular medical practitioner (GP), or a close family member or friend, as soon as possible.
How can affected patients access support?
Hamilton Skin Cancer Centre (HSCC) has engaged the specialist support services of IDCARE, New Zealand’s national identity and cyber support community service.
IDCARE services are free to the New Zealand community in providing specialist support to individuals who believe they are at heightened risk due to the exposure of their images affected by this cyber incident.
IDCARE Case Managers can be engaged via their online Get Help for Individuals booking form at idcare.org and by using the referral code PCC22 when prompted. IDCARE’s National support number is 0800 121 068 and is active from 9am NZDT to 7pm NZDT Monday to Friday.
For further information about current scams and how to protect yourself, please visit www.idcare.org
How can affected patients continue to keep themselves safe online?
While our ongoing investigation has so far uncovered no evidence of affected information that could result in identity theft, we have provided some general advice below on how individuals can continue to keep themselves safe online.
Cert NZ, an organisation that supports organisations and individuals who are affected by cyber security incidents, recommend the following steps to protect your information.
- Use strong and long passwords or passphrases and make them different for each online account. Use a password manager to help keep them safe.
- Fake login pages can be very convincing. Enter the website address directly or use a bookmark in your browser, instead of following a link. This prevents fraudsters sending you to the wrong place.
Visit Cert NZ’s webpage on information leaks to read more about protecting your data and its webpage for individuals has more informative articles on keeping your information safe and secure online.
Other trusted resources and information on these topics can be found at:
I received a suspicious text message/email. what should I do?
Te Tari Taiwhenua (Department of Internal Affairs) has a complaint service for spam text and email: www.dia.govt.nz/Spam-Complain-About-Spam
DIA does not investigate unsolicited phone calls, postal mail or pop-up messages. If you have received an unsolicited phone call, please contact you telephone service provider.
If you believe you are the victim of an online crime, then please report the matter to the Police by dialling 105(non-emergency reporting) in the first instance.
Next steps
The Hamilton Skin Cancer Centre takes cyber-security and the privacy of information very seriously and we are working with Government and private agencies to ensure we continue to meet all of our obligations in relation to this matter.
Please do not hesitate to contact Hamilton Skin Cancer Centre directly on 022-519-0862 or at info@hamiltonskin.co.nz if you have any further questions in relation to this incident.
ENDS
Media Contact
Please direct all media enquiries to:
Lorraine Muir
General Manager
022 519 0862