Administrative account likely used in cyber attack on health provider Pinnacle, expert says
A data expert says it’s likely a valid administrative account was used in the cyber attack of a major primary health provider’s system.
The affected IT was immediately taken offline and contained, but the Pinnacle group regional offices, and Primary Health Care Ltd practices across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato were impacted.
Datacom cybersecurity director Matthew Evetts said although information about the nature of the attack had not been released, it was likely a valid administrative account was used to access the system.
* Waikato DHB cyber attack: Old software susceptible to malware was being used by some staff
* Fear patient data may have been stolen from Auckland DHBs
* Canterbury health board gets 1.5 million attempted hacks every week
This was because some users reported their devices resetting, raising the first alarm of an attack.
He said these details could have been stolen or purchased, but because they are real accounts they were more difficult to pick up.
Chief executive Justin Butcher said on Tuesday that investigations were still underway, but it appeared that before the breach was notified and the IT was contained the malicious actors accessed information from the system, which could include commercial and personal details.
Butcher would not confirm or deny if any demands had been made from the “malicious actors” and did not know what they would do with the accessed information.
Pinnacle does not hold information such as GP notes, but does hold personal information such as names, addresses, and National Health Index (NHI) numbers.
“At this point in time, we cannot confirm what specific data or information may have been accessed, but we are working through a process to better understand that,” he said.
“This will take time, however, we believe it is important to disclose this incident now, so we can support those people who have potentially been impacted.”
On Wednesday, a spokesperson said the investigation was still in early stages and there was no further information.
It also did not know how many people had reached out with concerns.
In a statement Pinnacle said it “engaged external support partners and launched an in-depth investigation alongside relevant authorities.
“We have also laid a complaint with the police and are working alongside Te Whatu Ora and a number of other Government agencies.”
Evetts said stolen personal data was usually stolen to be sold and used for fraud or for gaining more information.
The personal information could be leveraged to uncover more information about the person before it was used that to extort money out of a person or organisation.
He said patients involved with Pinnacle’s GP centres should, now more than ever, be careful about their online activity.
People should make sure the person or organisation they are dealing with online is who they say they are.
He said using a password vault was a good way to keep on top of having a unique password that was regularly changed.
Evetts said Pinnacle had done the right thing by enlisting experts to forensically investigate the breach and uncover what was and wasn’t taken.
“They are not saying anything about how it was taken. That is wise because you don’t want to open yourself to more attacks.”
He said when the extent of the breach was known Pinnacle would need to work with staff and patients to mitigate the fallout of what could be done with the stolen information.
Malware breaches, when someone downloads something they shouldn’t, was on the decline, he said.
But, lots of people and organisations were still falling into social engineering cyber attacks – by phishing, phone calls, and texts.
He said people were more becoming aware and careful about their online activity, but attackers were constantly and quickly advancing.
Evetts said it was important an organisations people, processes and technology were all as secure as possible.
It wasn’t just about the online systems, it was also about making sure staff understood why and how to keep safe and that processes were in place to keep information secure.