Waikato District Health Board's computers have been down for over a week due to a cyberattack that also seems to have led to private patient and/or staff details being taken from the system by the attackers.
Radio New Zealand reported yesterday on a Health IT Stocktake warning of significant IT risks last year.
The Privacy Act's new provisions allowing the Privacy Commissioner to issue Compliance Orders came into effect 1 December last year. Rule 5 of the Health Information Privacy Code 2020 also requires that private health information be held securely.
So I was curious whether the Privacy Commissioner had had any chats with the Ministry, DHBs, and Minister about these compliance issues last year, and whether any Compliance Orders had been contemplated before the hackers took down the Waikato hospital system's general ability to function.
On a quick look online, I could find a morning interview with the Privacy Commissioner about the hack, but I could see nothing about it on the Privacy Commission's website, on its official Twitter feed, or on the Commissioner's Twitter feed.
So I sent through the following OIA request at 1pm.
I am curious what measures, if any, the Privacy Commissioner has taken to ensure the security of individuals’ health data held by the public health system.
Last year’s IT Stocktake for the Ministry of Health, as reported by Radio New Zealand, demonstrated substantial risks. Failure to address those risks plausibly led to this month’s substantial data breach at Waikato DHB.
Radio New Zealand’s report on the stocktake is here.
The updated Act provides opportunity for the Privacy Commissioner to issue Compliance Orders in cases where substantial privacy risks warrant it. The Stocktake report predated the ability to issue Compliance Orders, but orders presumably could have been issued on the Act’s coming into force if they were warranted, if the Ministry and DHBs had not been demonstrably moving to solve the identified problems.
In terms of the Official Information Act, I would like to know whether the Privacy Commissioner had been aware of last year’s IT Stocktake at the Ministry of Health demonstrating substantial risks.
Please also provide:
- Any internal correspondence, briefing notes, minutes of meetings, or recollections of relevant officials about the results of the Ministry of Health’s IT Stocktake and what action, if any, the Privacy Commissioner should take. I am particularly interested in knowing why a compliance order was not issued, if no compliance order was issued.
- Any correspondence from the Privacy Commissioner to the Ministry of Health, and any correspondence from the Privacy Commissioner to the District Health Boards, about their obligations under the Privacy Act, their obligations under Rule 5 of the Health Information Privacy Code, and about the IT Stocktake;
- Any correspondence from the Privacy Commissioner to the Minister of Health about the Ministry of Health and DHB’s obligations under the Privacy Act, and about the IT Stocktake;
- Any correspondence with the Minister of Health about IT security in general, and about the Waikato DHB breach in particular. Please include all memos, briefing notes, aide memoires, and summaries of any meetings;
- A listing of any measures taken by the Privacy Commissioner to ensure DHB and MoH compliance with Rule 5 of the Health Information Privacy Code 2020, along with any evidence held by the Privacy Commissioner establishing DHB and MoH compliance with Rule 5 of the Health Information Privacy Code
- A listing of Compliance Orders issued thus far, along with any details on the recipient of each Order and what the Commissioner has Ordered. If identifying details of the recipients need to be suppressed, please provide detail on the sector and industry of the recipient of the Order, and whether the recipient is private or public sector.
I hadn't seen anything about the Waikato leak on the Privacy Commissioner's website when I'd sent in the request.
At 4.25 pm the Privacy Commissioner tweeted a link to a press release dated 9am, noting that the Commissioner could yet issue Compliance Orders.
I hadn't seen it on the Commissioner's website at 1pm; I must have missed it, or perhaps their CMS takes a while to refresh.
Will post what information I receive.
No comments:
Post a Comment