Cyber Incident Victim: Pinnacle Midlands Health Network

On September 28, 2022, Pinnacle Midlands Health Network, a New Zealand medical provider, experienced a cyberattack that disrupted its IT systems across multiple practices. The attack prompted the organization to take its IT platform offline to contain the breach. Initial statements from CEO Justin Butcher indicated uncertainty regarding the specific data accessed, though the network confirmed it stored patient names, addresses, and personal details while clarifying it did not retain GP consultation notes or medical records. By early October, forensic investigations revealed that attackers had exfiltrated data pertaining to approximately 450,000 individuals. This dataset included hospital service records such as immunization histories and screening statuses for current and former patients across the Waikato, Lakes, Taranaki, and Tairawhiti districts. The compromised information was subsequently published on the dark web, with security experts notifying Pinnacle of the leak within 24 hours prior to their October 10 public disclosure.

Pinnacle Midlands engaged with New Zealand Police and the Office of the Privacy Commissioner following confirmation of the data release. Despite operational disruptions from the system shutdown, all affiliated medical practices maintained normal patient services throughout the incident. The organization emphasized ongoing efforts to determine the full scope of accessed data while reiterating that clinical consultation records remained unaffected. No ransomware demands or explicit attacker motives were disclosed in public communications. Impacted individuals were not directly notified by the time of the October 10 report, as the network prioritized coordination with authorities and forensic analysis to verify the extent of exposed records.