Pinnacle cyber incident

Kia ora,

One of our roles as a healthcare provider is to hold information for medical centres, so we can help provide you with the best care possible. We take our role as stewards of people’s information seriously.

What has happened?

On Wednesday 28 September, malicious actors accessed a third-party IT server that Pinnacle Midlands Health Network (Pinnacle) uses. The attacker took health information ranging from approximately 2016 to 2022 and some of Pinnacle’s corporate information. This incident affected the services of the Pinnacle group in the Waikato, Lakes, Taranaki and Tairāwhiti districts. It also includes Primary Health Care Ltd practices from across Taranaki, Rotorua, Taupō-Tūrangi, Thames-Coromandel and Waikato.

Pinnacle is deeply sympathetic to the stress this incident may have caused. We understand this has been a challenging time for all involved.

As Pinnacle continues to investigate the incident, we wanted to provide an update on progress.

Incident response

When Pinnacle became aware of the incident, the affected IT system was taken offline and contained. We implemented our backup systems safely and promptly. Subsequent analysis of systems showed no further evidence of malicious activity.

The incident response will take time to better understand what was taken from our IT platform. Pinnacle is a complex organisation with a network of nearly 500,000 patients.

Following the initial investigation, Pinnacle was notified on Saturday, 8 October 2022 that some of the data taken was released onto the internet by malicious actors. We are attempting to retrieve the stolen data and will provide updates where possible.

Our primary focus is to support people who may have been impacted, and to work with the authorities to ensure we are doing everything we need to be.

What we are doing

Pinnacle has notified the Police and is monitoring for malicious activity and continuing be vigilant in protecting the information we collect.

The Office of the Privacy Commissioner (OPC) has been notified, and we continue to consult with the OPC to ensure appropriate steps are being taken to protect the privacy of anyone who may be affected.

If you have any concerns, then you have the right to complain to the Privacy Commissioner. Please visit the OPC’s website for information about your privacy rights: www.privacy.org.nz/your-rights/your-privacy-rights.

Pinnacle continues to work with experts in our incident response process. This has involved support from government entities including the National Cyber Security Centre and Te Whatu Ora.

Support and questions

We are committed to supporting our patients and there are a number of ways you can get support.

IDCARE

Pinnacle has engaged the specialist support services of IDCARE, New Zealand’s national identity and cyber support community service. IDCARE services are free to the community in providing support to individuals who may be at heightened risk due to the exposure of their information.

IDCARE’s support number is 0800 121 068 and is active from 9am NZDT to 7pm NZDT Monday to Friday. Use referral code PBN22 when prompted. For further information please visit idcare.org.

Contact Pinnacle

If you have any other questions, please contact us at info@pinnacle.health.nz.

Nga mihi,

Justin Butcher
Chief Executive