Cyber Incident Victim: Capital and Coast District Health Board

On or around August 27, 2019, Capital & Coast District Health Board (CCDHB) experienced a cybersecurity incident when a staff member fell victim to a phishing scam. The attack resulted in unauthorized access to the employee’s email account, enabling the exfiltration of thousands of emails from the compromised inbox. These emails were subsequently forwarded to external email addresses located both within New Zealand and internationally. The DHB’s ICT systems detected the anomalous activity, though the exact timeframe between the initial compromise and detection was not disclosed in available reports. Upon identifying the breach, CCDHB immediately disabled access to the affected email account to prevent further unauthorized data transfers.

The incident did not result in the compromise of private or patient information, according to CCDHB’s public statement. The organization confirmed that its ICT security measures successfully blocked the phishing scam’s continuation after the initial breach. No additional technical details regarding the attack vector, such as the nature of the phishing email or specific malware involved, were disclosed. Containment efforts focused solely on isolating the compromised account, with no indication of broader network infiltration or secondary attack phases. CCDHB did not report operational disruptions to healthcare services, nor did it disclose whether regulatory authorities or affected individuals were formally notified beyond its initial public acknowledgment. The scale of the email exfiltration—described as “thousands” of messages—was not further quantified by type, sensitivity, or specific recipients.