What happened
In October 2022 Pinnacle Midlands Health Network — a large North Island GP network operating across Waikato, Taranaki and Tairāwhiti — disclosed that cyber attackers had stolen and then published patient data on the dark web, affecting up to 450,000 people [rnz-pinnacle]. The exposed information included patient addresses, National Health Index (NHI) numbers, immunisation and screening status, and data about services provided [rnz-pinnacle].
Timeline
- 2022-09 — Unauthorised access is understood to have occurred roughly two weeks before public notification [rnz-pinnacle].
- 2022-10-10 — Pinnacle notified the public; within 24 hours it confirmed stolen data had been posted to the dark web [rnz-pinnacle].
Current status
Pinnacle said it was working with Police and the Office of the Privacy Commissioner. The figure of “up to 450,000” is the organisation’s own upper estimate as reported; the attackers’ identity was not established at the time of reporting [rnz-pinnacle], [nzh-pinnacle].
Why it matters
A primary-care network holds identifying and clinical data on a very large population. The publication of that data to the dark web — including NHI numbers — makes this one of the most serious health-sector breaches on the New Zealand record.