Cyber Incident Victim: Waikato District Health Board
Date:
May 2021
Location:
New Zealand
Summary
A ransomware attack identified as "Conti" disrupted clinical services across Waikato District Health Board's hospitals, disabling all computers and phones. Outpatient clinics were canceled, surgeries proceeded only with printed patient notes, and emergency departments prioritized critical cases. Staff described operational chaos while the DHB engaged external experts and government authorities to resolve the incident, warning systems might remain offline for days. Patients faced postponed appointments, with communication challenges prompting advice to contact individuals via personal mobile phones. The organization implemented strict protocols prohibiting computer use until systems could be securely restored.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 18, 2021, Waikato District Health Board (DHB) experienced a cyber security incident that severely disrupted clinical services across all Waikato public hospitals, including facilities in Thames, Tokoroa, Te Kuiti, and Taumaranui. The attack compromised the DHB's Information Services environment, forcing the shutdown of all internal systems except email, and rendered phones and computers inoperable. The Resident Doctors Association and Association of Professional and Executive Employees identified the attack as ransomware known as "Conti," noting similarities to an attack on Ireland’s Department of Health the prior week. Waikato DHB activated an incident management system and engaged external cybersecurity assistance to investigate and resolve the breach, while also notifying relevant government authorities. Initial assessments indicated uncertainty about the timeline for restoration, with staff warnings suggesting outages could persist for days.
The incident caused significant operational chaos, with hospital staff describing conditions as "mayhem." Clinical workflows were severely impaired, forcing doctors to rely on printed patient notes for surgeries and leading to the cancellation of outpatient clinics, though inpatient care continued unaffected. The DHB urged the public to avoid Waikato Hospital’s Emergency Department except for emergencies and advised contacting patients via personal mobile phones due to communication system failures. Staff were instructed not to power on any computers or laptops until further notice, exacerbating disruptions for corporate support teams unable to perform routine tasks. The Ministry of Health confirmed the attack occurred overnight and collaborated with the DHB and IT partners to minimize outpatient service interruptions, prioritizing rescheduling canceled appointments. Despite these efforts, the DHB emphasized that full system restoration required thorough security validation, prolonging the recovery process.