Following on from our public message on 12 October 2022, we wanted to provide an update on progress as Pinnacle continues to investigate the incident.
From what we know to date, on Wednesday, 28 September, malicious actors accessed a third-party IT server that Pinnacle Midlands Health Network (Pinnacle) uses. The attacker took health information ranging from approximately 2016 to 2022 and some of Pinnacle’s corporate information.
Pinnacle is a complex organisation with a network of nearly 500,000 patients. We are working through a process to identify and understand what information has been taken and have contracted experts in this field to undertake this investigation. There is a large volume of information to work through and files can typically contain many lines of information which are structured and coded in nature. This process takes time, and we are keen to ensure this information is retrieved and identified in a safe and secure manner.
By analysing file names, we can recognise many of the files that were involved in the breach. This means that while we understand what information is likely to be in the file, we are not yet at the point of understanding who the individuals within each file are.
We can see that some of the corporate information that was exfiltrated due to the breach relates to Pinnacle’s guidance, manuals and templates that are routinely downloaded by our staff while performing their roles.
From what we know so far:
We are working on identifying any information that may be especially sensitive, or which may be different from what we understand has been taken to date. If this process uncovers data that would cause a person to suffer serious harm, we have a process to take the appropriate steps with respect to that information.
We’ve maintained a close line of communication with the Privacy Commissioner throughout this incident.
Pinnacle remains deeply sympathetic to any affected individuals and would like to take the opportunity to thank everyone for their support and patience while we are working through our investigation.
Kia ora,
One of our roles as a healthcare provider is to hold information for medical centres, so we can help provide you with the best care possible. We take our role as stewards of people’s information seriously.
What has happened?
On Wednesday 28 September, malicious actors accessed a third-party IT server that Pinnacle Midlands Health Network (Pinnacle) uses. The attacker took health information ranging from approximately 2016 to 2022 and some of Pinnacle’s corporate information. This incident affected the services of the Pinnacle group in the Waikato, Lakes, Taranaki and Tairāwhiti districts. It also includes Primary Health Care Ltd practices from across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.
Pinnacle is deeply sympathetic to the stress this incident may have caused. We understand this has been a challenging time for all involved.
As Pinnacle continues to investigate the incident, we wanted to provide an update on progress.
Incident response
When Pinnacle became aware of the incident, the affected IT system was taken offline and contained. We implemented our backup systems safely and promptly. Subsequent analysis of systems showed no further evidence of malicious activity.
The incident response will take time to better understand what was taken from our IT platform. Pinnacle is a complex organisation with a network of nearly 500,000 patients.
Following the initial investigation, Pinnacle was notified on Saturday, 8 October 2022 that some of the data taken was released onto the internet by malicious actors. We are attempting to retrieve the stolen data and will provide updates where possible.
Our primary focus is to support people who may have been impacted, and to work with the authorities to ensure we are doing everything we need to be.
What we are doing
Pinnacle has notified the Police and is monitoring for malicious activity and continuing be vigilant in protecting the information we collect.
The Office of the Privacy Commissioner (OPC) has been notified, and we continue to consult with the OPC to ensure appropriate steps are being taken to protect the privacy of anyone who may be affected.
If you have any concerns, then you have the right to complain to the Privacy Commissioner. Please visit the OPC’s website for information about your privacy rights: www.privacy.org.nz/your-rights/your-privacy-rights.
Pinnacle continues to work with experts in our incident response process. This has involved support from government entities including the National Cyber Security Centre and Te Whatu Ora.
Support and questions
We are committed to supporting our patients and there are a number of ways you can get support.
IDCARE
Pinnacle has engaged the specialist support services of IDCARE, New Zealand’s national identity and cyber support community service. IDCARE services are free to the community in providing support to individuals who may be at heightened risk due to the exposure of their information.
IDCARE’s support number is 0800 121 068 and is active from 9am NZDT to 7pm NZDT Monday to Friday. Use referral code PBN22 when prompted. For further information please visit idcare.org.
Contact Pinnacle
If you have any other questions, please contact us at info@pinnacle.health.nz.
Nga mihi,
Justin Butcher
Chief Executive
Pinnacle Midlands Health Network has today confirmed that information illegally taken from the company’s IT platform has been uploaded to the internet by malicious actors.
The information and data relates to past and present patients and customers of the Pinnacle group in the Waikato, Lakes, Taranaki and Tairāwhiti districts. It also includes Primary Health Care Ltd (PHCL) practices from across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.
The initial cyber incident took place on Wednesday 28 September 2022 through an IT platform that Pinnacle is a customer of, and the affected IT was immediately taken offline and contained.
Justin Butcher, CEO of Pinnacle Incorporated says that while investigations are still underway, much of the information and data that was stolen last week has been made public.
“Over the past 24 hours, we were notified by our security experts that the data taken from our IT platform had been released by malicious actors.
“We acknowledge that this will be concerning to our patients and their whānau, and we are taking this seriously. Our immediate focus is on supporting people who may have been impacted, and working with the authorities to ensure we are doing everything we need to be.
“Due to the scale of the data that has been released, we are providing a general update now, and intend to provide further public notifications over the coming days.
“While Pinnacle does not hold GP notes and consultation records, we now have a much clearer understanding of the breadth of stolen data. This includes high level data related to the use of hospital services, claiming information related to services that Pinnacle provides, and information sent to practices around immunisation and screening status of individual patients.
“This is extremely unfortunate, and we are gutted as this impacts our whānau also. Cyber incidents like this are a constant threat, and while they are the doing of malicious actors, we feel for everyone who may have been affected.
“We are in contact with the Police and Office of the Privacy Commissioner”.
A freephone support line that was set up by Pinnacle through IDCare is available from Monday to Friday on 0800 121 068 for people wanting further information.
All affected practices are still providing services, and people can continue to seek care as normal. However, as notified previously, patients may experience some delays when contacting practices. So, if you are needing care, please call your doctor, or medical centre as you normally would.
Any further updates will be posted on this web page when available.
Pinnacle Midlands Health Network has experienced a cyber incident impacting some of its IT services.
The services impacted include the Pinnacle group regional offices, and Primary Health Care Ltd (PHCL) practices across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.
The incident took place on Wednesday 28 September 2022, and the affected IT was immediately taken offline and contained.
Justin Butcher, CEO of Pinnacle Incorporated says that while investigations are still underway it appears that before the breach was notified and the IT was contained the malicious actors accessed information from the system, which could include commercial and personal details.
“At this point in time, we cannot confirm what specific data or information may have been accessed, but we are working through a process to better understand that. This will take time, however, we believe it is important to disclose this incident now, so we can support those people who have potentially been impacted.
“Our systems flagged the incident with us, and we were able to move swiftly to take the affected IT offline. We engaged external support partners and launched an in-depth investigation alongside relevant authorities. We have also laid a complaint with the Police and are working alongside Te Whatu Ora and a number of other Government agencies.
“We know that people will rightfully be very concerned about this, and we want to ensure the public that Pinnacle takes our role as stewards of people’s information seriously, and security is of utmost importance to us.
Unfortunately, malicious cyber activity is a constant threat and New Zealand is not exempt from this.
“We have put contingency plans in place and are working to understand exactly what happened and who has been impacted. We have notified the Office of the Privacy Commissioner.”
Pinnacle does not hold information like GP notes, but does hold personal information such as names, addresses and National Health Index (NHI) numbers.
The affected practices are still providing services, and people can continue to seek care as normal. However, patients may experience delays when contacting some practices. So, if you are needing care, please call your doctor or medical centre as you normally would.
Pinnacle has engaged the specialist support services of IDCARE, New Zealand’s national identity and cyber support community service. IDCARE services are free to the New Zealand community in providing specialist support to individuals who believe they are at heightened risk due to the exposure of their information.
IDCARE Case Managers can be engaged via their online Get Help for Individuals booking form at idcare.org and by using the referral code PBN22 when prompted. IDCARE’s National support number is 0800 121 068 and is active from 9am NZDT to 7pm NZDT Monday to Friday.
IDCARE advises all current and former patients of Pinnacle and their health providers to remain vigilant about the risk of scams. Whilst investigations continue, we are mindful that scammers do take advantages of organisations through impersonation in order to elicit further details and access from our community. If you receive a text, phone call or email from an organisation, such as law enforcement, your bank or Government, we advise you to make your own enquiries first before responding to any demands placed on you (including clicking any links or providing your identity or account information).
For further information about current scams and how to protect yourself, please visit idcare.org.
What kind of data might have been accessed?
While Pinnacle does not hold GP notes and consultation records, we now have a much clearer understanding of the breadth of stolen data. This includes high level data related to the use of hospital services, claiming information related to services that Pinnacle provides, and information sent to practices around immunisation and screening status of individual patients.
Pinnacle Midlands Health holds information on individuals enrolled in Tairāwhiti, Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato regions.
We hold data that includes who is enrolled at which medical centre, their National Health Index Number, name, date of birth, ethnicity and address.
We also hold some medical information provided to us by medical centres that we analyse and provide back to the medical centres to support timely quality care. For instance, Pinnacle provides GPs and practice nurses with information on:
The reason we collect this information and provide it back to GPs is to improve the care that patients receive, including by ensuring patients get proactive screening for diseases like cancer and get treatment for chronic conditions like diabetes. This helps save lives and keep people well.
We do not believe there was any impact to your online patient portal at this time. Patient portals are owned and operated by companies separate from Pinnacle and Pinnacle practices. We encourage you to continue using your portal.
What practices are in your network?
The services impacted include the Pinnacle group regional offices, and Primary Health Care Ltd (PHCL) practices across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato. A list of PHCL practices can be found on their website: www.phcl.health.nz/practices.
We hold some medical information provided to us by medical centres in our network that we analyse and provide back to the medical centres to support timely quality care. Practices in the Pinnacle network are found in the 'find a practice' section of this website.
How do I know if my data has been accessed?
We are working to better understand who may have been impacted by this attack on our systems and will endeavour to contact anyone who has been impacted.
Is the data now safe?
As soon as we became aware of the incident, the affected IT system was taken offline and contained. We engaged external support partners and launched an in-depth investigation alongside relevant authorities.
We have significantly strengthened security for our IT systems, and we are working through a transformation programme, which will provide even more security.
What are you doing?
Pinnacle has laid a complaint with the Police. We are working with global incident response experts, as well as receiving excellent support from Te Whatu Ora and other government agencies.
All essential services remain operational, but you may experience some delays when calling your GP because of the need to conduct thorough investigations.
Pinnacle and our partners are working as quickly and thoroughly as possible to return to business as usual. In the meantime, business continuity plans are in place and working well.
Our focus now is to provide support to our network and the public.
How did this happen?
This was an illegal act, and the Police have been informed. Our investigation is still underway as to how this happened.
Where is the impacted data available?
We have been notified by our security experts that the data taken from our IT platform has been released by malicious actors, and is believed to be available on what is often referred to as 'the dark web'. The dark web is a part of the internet that can only be accessed through special kinds of software. Most dark web websites are not directly accessible via a normal search made through a search engine (such as Google).
Can I still contact my GP?
Yes. Affected practices remain operational. However, patients may experience delays when contacting some practices. So, if you are needing care, please call your doctor or medical centre as you normally would.
We do not believe there was any impact to your online patient portal at this time. Patient portals are owned and operated by companies separate from Pinnacle and Pinnacle practices. We encourage you to continue using your portal.
How can I keep myself safe online?
Cert NZ, an organisation that supports organisations and individuals who are affected by cyber security incidents, recommend the following steps to protect your information.
A good approach is to only share personal information online when you know:
Visit Cert NZ’s webpage on information leaks to read more about protecting your data and its webpage for individuals has more informative articles on keeping your information safe and secure online.
Other great and trusted online information includes:
I received a text message/email and I think it is spam. What should I do?
Te Tari Taiwhenua (Department of Internal Affairs) has a complaint service for spam text and email: www.dia.govt.nz/Spam-Complain-About-Spam
DIA does not investigate unsolicited phone calls, postal mail or pop-up messages. If you have received an unsolicited phone call, please contact you telephone service provider.
If you believe you are the victim of an online crime, then please report the matter to the Police dialling 105 (non-emergency reporting) in the first instance.