Thousands of coronial files, reports impacted in security breach

Thousands of coronial files and reports had their access impacted following a "cyber-security breach", the Ministry of Justice confirmed today.

It comes after a company which provides IT services to a third-party provider the ministry has contracts with was targeted.

At this stage, it's believed approximately 14,500 coronial files relating to the transportation of deceased people across the country from November 2018 to November 2022 were affected, Ministry of Justice chief operating officer Carl Crafar said in a statement.

A further 4000 post mortem reports relating to files from Northland, Waikato, the Bay of Plenty, Taranaki, Wellington, Horowhenua-Kāpiti, Nelson-Marlborough, Otago and Southland from March 2020 to November 2022 were also impacted.

The ministry has been working alongside other Government agencies, including the National Cyber Security Centre (NCSC), Office of the Privacy Commissioner, police, and CERT NZ to "fully understand the extent of the issue" since it was made aware of it last Wednesday.

"The chief coroner has also been informed."

The Ministry of Justice's systems were not directly targeted.

Crafar said while the cyber security incident had blocked access to the data, there was no evidence at this stage that the data had been taken.

However, the Ministry could not rule out the possibility, and it is now under investigation by cyber security experts.

“We acknowledge that this incident has affected information that is sensitive. We will continue working to understand the extent of the incident," Crafar said.

“We are conscious that so-called malicious actors behind such activity can monitor public commentary on incidents of this nature so will not be providing more detailed information on our responses at this time.”

Mercury IT, who the ministry confirmed was the company responsible for its data storage, put out its own statement shortly after confirming it had been targeted in a ransomware attack on November 30.

The company said this evening they were made aware they "were the victim of a cyber-incident after a malicious and unauthorised actor gained access to our server environment".

"The incident was raised with relevant Government authorities, and we have engaged external specialist support. Our response to understand how this occurred, and address the impacts, is at an early stage; however, all possible steps have been taken to secure our environment," director Corry Tierney said.

"We are committed to supporting our impacted clients with their own investigations wherever possible and we apologise, sincerely, for the impact this attack has caused. We cannot provide further information on the impact and our mitigation at this time as the actors behind this incident, or others, can leverage any publicly available information."

In a statement, the Office of the Privacy Commissioner said "urgent work" is now underway to "understand the number of organisations affected, the nature of the information involved and the extent to which any information has been copied out of the system".

"We encourage any clients of Mercury IT who have been impacted by this incident and who have not already been in touch with us to contact the Office of the Privacy Commissioner," it read.

The Privacy Commissioner urged anyone who receives or finds information relating to the cyberattack to "do the right thing".

"Do not spread it. Do not share it. Report it to the New Zealand Police. No one should contribute to its widespread dissemination. Spreading this information or profiteering from it causes anxiety and distress to victims."

Te Whatu Ora confirmed in a statement that a ransomware attack on a IT service provider used by the agency had blocked access to some of its data relating to bereavement and cardiac services.

"Our cyber security team has been working with Government agencies and the affected IT service provider to determine the full nature, extent and potential impact of this incident. These investigations are at a very early stage and will take some time to complete," it said.

"The incident did not target Te Whatu Ora systems directly and we would like to reassure the public that there has been no disruption to health service delivery and that all Te Whatu Ora health services are continuing to run normally.

"However, access to some information held by the IT service provider has been blocked which means clinical teams and staff working in some areas cannot access certain types of data at present."

It includes 8500 records dating back to 2015 relating to bereavement care services data from Auckland's Middlemore Hospital, and cardiac and inherited disease registry data comprising approximately 5500 records dating back to 2011. The registry is accessed by clinicians in Auckland, Wellington, Tauranga, Waikato, and Nelson.

Te Whatu Ora said while the files are "currently inaccessible, there is no evidence at this stage that they have been subject to unauthorised access or download".

It said six health regulatory authorities whose services are hosted by the IT service provider have also been impacted. They include the Optometrists and Dispensing Opticians Board of New Zealand; the Chiropractic Board; the Podiatrists Board; the New Zealand Psychologists Board; the Dietitians Board; and the Physiotherapy Board of New Zealand.

"We understand that this situation may be distressing for people. We want to reassure the public that we are working swiftly with other Government agencies and cyber security experts to determine the full nature, extent and potential impact of this incident," the agency said.

"As further facts are established we will work to communicate these as swiftly as possible."

Anyone who is concerned about their information or a member of their whānau has been urged to contact Te Whatu Ora on 0800 638 924.

Anyone who believes they may have been affected has been advised to contact the Ministry of Justice at contactus@justice.govt.nz, or call 0800 638 924.