Te Whatu Ora Health New Zealand v Unknown Defendants

IN THE HIGH COURT OF NEW ZEALAND WELLINGTON REGISTRY I TE KŌTI MATUA O AOTEAROA TE WHANGANUI-A-TARA ROHE

CIV-2022-485-000804 [2022] NZHC 3568

BETWEEN	TE WHATU ORA HEALTH NEW ZEALAND & ATTORNEY GENERAL (In Respect of the) MINISTRY OF JUSTICE Plaintiffs
AND	UNKNOWN DEFENDANTS Defendant

Hearing:	16 December 2022 (teleconference)
Appearances:	J W S Baigent for the Plaintiffs
Judgment:	20 December 2022

JUDGMENT OF GRICE J

Without Notice Interim Injunction (reasons)

Introduction

[1]    This is an urgent application for orders restraining the publication and distribution of confidential information which was obtained through a ransomware attack on an IT service provider, Mercury IT Ltd, by unknown third parties. Having obtained the information, the ransomware attackers or their associates are attempting to hold to ransom the plaintiffs and others. Much, if not all, of the relevant information has been encrypted and will not be accessible by the attackers. However, there is a credible threat and risk that the information which has been attacked will be leaked or published by the persons responsible for the ransomware attack.

[2]    I heard the application on 16 December 2022 and granted various orders as sought. I also directed service of the orders on the Privacy Commissioner, Mercury IT

TE WHATU ORA HEALTH NEW ZEALAND v UNKNOWN DEFENDANTS [2022] NZHC 3568 [20

December 2022]

and various media organisations, giving leave for those served to apply on notice in relation to the orders. This is the reasons judgment following my granting of the orders.

[3]    Te Whatu Ora Health New Zealand (HNZ) is a Crown agency responsible for the delivery of public health and disability services in New Zealand and was established pursuant to the Pae Ora (Healthy Futures) Act 2022.

[4]    The Ministry of Justice (MOJ) is a government department pursuant to the Public Service Act 2020. Its functions include providing administrative and support service to assist the operation of courts and tribunals, including coronial services.

[5]    The defendants are persons currently unknown who are said to be responsible for and illegally obtained data belonging to the plaintiffs and others as a result of the ransomware attack suffered by Mercury IT on about 30 November 2022. The data illegally obtained during the attack is referred to in this judgment as the Affected Dataset. Those defendants also include those who have obtained or may seek to obtain access to or have otherwise been provided with information from the Affected Dataset, including, without limitation, media entities.

[6]    Mercury IT is a New Zealand-based private data service provider which held electronic data stored on behalf of the plaintiffs which was the subject of a ransomware attack on 30 November 2022. During the ransomware attack the data was encrypted with ransomware and/or exfiltrated, that is it was copied and extracted by the persons responsible for the ransomware attack.

[7]    The unknown persons responsible for the ransomware attack have threatened to publish on the dark web all data in the Affected Dataset that they have exfiltrated, unless its ransom demands are satisfied.

[8]    The ransomware attack has received extensive media attention and the fact of the attack has been widely reported.

[9]    If the Affected Dataset is published on the dark web or elsewhere by those responsible for the attack, the plaintiffs say there is significant risk that it will be accessed, used and published by others.

Background

[10]   HNZ produces, collects and holds confidential information, including personal health information relating to its patients, former patients, and their whānau. It also holds personal information relating to staff and confidential business and administrative information relating to its operations.

[11]   Some of that confidential information is managed and held by third-party agencies, including Mercury IT. The data affected by the ransomware attack on Mercury IT which forms part of the Affected Dataset includes: coronial support and bereavement care services information, which contains sensitive details such as the deceased’s demographics, dates of birth and death, the cause and circumstances of death, and details of the doctor and next of kin; data relating to the Cardiac Inherited Disease Registry, which contains sensitive information about sudden-death patients and those with suspected genetic cardiac conditions, including the whānau of these two groups of patients; and other data held by Mercury IT customers relating to services provided by HNZ which has been impacted but that HNZ has not yet identified. This includes information from a third-party supplier of public relations services whose data was also stored by Mercury IT.

[12]   There are other third-party health regulators for whom the Mercury IT data breach may have implications as well. They are concerned about the breaching of confidentiality by the release of that data, and support this application. Counsel referred to these parties in her memorandum and submissions, but there was insufficient time to arrange for affidavits from those organisations in the time available before this matter was dealt with on an urgent basis. One private provider supplied a supporting affidavit.

[13]   Mercury IT also provided IT services for the companies which provide services to the MOJ. This includes information relating to: coronial services including data relating to identification information about the deceased; next of kin details; police

reports, including details about the likely cause and circumstances of death; post-mortem reports; and records relating to the transportation of deceased persons.

[14]   The amount of data here affected is substantial. The confidential and personal information of thousands of individuals is involved.

Analysis

[15]   The application is wide-ranging. It affects all the data that has been compromised by the ransomware attack on Mercury IT. It is not possible to otherwise identify which data is likely to jeopardise the confidential and personal information held on behalf of individuals. The access, review, or use of the plaintiffs’ confidential information in the Affected Dataset, by unknown defendants, will amount to an interference with the plaintiffs’ confidential information and of the personal, sensitive information of the individuals concerned. I am satisfied that any use or disclosure of the plaintiffs’ information in the Affected Dataset will be unauthorised (unless expressly consented to by the plaintiffs) and will be a breach of the confidence attaching to that information.

[16]   I am satisfied the use or disclosure of any such information in the Affected Dataset will cause harm by way of distress, anxiety and harm to the individuals concerned, including present and former patients of HNZ and their relatives as well as the staff and wider community, from the realisation that unknown defendants are searching and reviewing that information with a view to its use and/or publication. It will also likely generate increased interest in the Affected Dataset amongst the media and other entities or individuals who will be encouraged to search for and review the Affected Data to use for their own purposes. That will increase the perceived value of the Affected Dataset in the eyes of the threat actors, causing a risk of further action being taken by those threat actors and cyber criminals in relation to the Affected Dataset to further their own objectives.

[17]   Irrespective of the content of the Affected Dataset, it is not in the public interest for those unknown defendants to make use of the information in the Affected Dataset when weighed against the serious harm that will likely result from the use of the confidential and personal information.

[18]   There is ample precedent for the granting of injunctions where it is not possible to name the defendants, in circumstances such as in this case.1

[19]   The requirements for obtaining an interlocutory injunction under r 7.53 of the High Court Rules 2016 are well-established and were set out by the Court of Appeal in Klissers Farmhouse Bakeries Ltd v Harvest Bakeries Ltd.2 There are two broad considerations, namely whether there is a serious question to be tried and where the balance of convenience lies.3

[20]   I am satisfied there is a serious question to be tried. The evidence supports the allegation that there has been an unlawful ransomware attack resulting in threats to breach confidence by way of accessing, reviewing or using the plaintiffs’ confidential information in the Affected Dataset.

[21]   Turning to the balance of convenience, the unlawful disclosure of confidential and personal information of many individuals is threatened. I am satisfied it is necessary to restrain the access, review or use of the plaintiffs’ confidential information in the Affected Dataset by all persons who might otherwise seek to access or use the information for whatever purpose.

[22]   The orders are being granted on an urgent without notice basis, and it may well be that some matter has been overlooked. However, an undertaking as to damages has been filed on behalf of HNZ. In addition, I have made directions as to service and granted leave for applications to be made on notice by any interested persons, by way of safeguard.

[23]   The direction to serve the Privacy Commissioner will also ensure that the Commissioner is aware of the situation and able to take such steps as they consider appropriate on behalf of those members of the public whose privacy may have been compromised. The Commissioner’s functions under the Privacy Act 2020 include to

1      A recent example is Commerce Commission v Unknown Defendant(s) [2019] NZHC 2609, (2019) 15 TCLR 505 at [26]–[28]; and see the authorities cited therein.

2      Klissers Farmhouse Bakeries Ltd v Harvest Bakeries Ltd [1985] 2 NZLR 129 (CA).

3      At 142.

give advice to any person in relation to any matter that concerns the need for, or desirability of, action by that person in the interests of the privacy of individuals.4

[24]   Similarly, in the interests of transparency, I have directed the media outlets listed be served.

[25]   One of the affidavits filed in support of the application has been filed by a third-party provider to the plaintiffs. It seeks that the information that is provided in the affidavit be held on a confidential basis at present as it is unaware of the full details of the impact of the data breach on its clients and staff information. In view of the urgency of this application and the sensitivity of some of the information involved, I consider it is appropriate to make an order granting confidentiality in relation to that affidavit at this time.

[26]   All persons having an interest may apply to the court on notice. This matter will be called for mention on 1 February 2023.

Orders

[27]   I confirm the making of the following interim orders until further order of the court:

(a)An order restraining all unknown defendants from accessing or performing any set of operations on the Affected Dataset (or its contents) illegally obtained as a result of the November 2022 ransomware attack on Mercury IT, without the written consent of the plaintiffs or true owners of the information, including creating any derivation of, or using, accessing, collecting, searching, reviewing, copying, structuring, organising, adapting, retrieving, inputting, storing, broadcasting, publishing, sharing, making available to any members of the public, transferring, or disclosing any information, data or documentation, whether by manual or automated means, from the Affected Dataset.

4      Privacy Act 2020, s 17(1)(k).

(b)An order requiring all unknown defendants to permanently delete any and all copies of the Affected Dataset in their possession or control or information obtained from it, and provide an undertaking at the request of the plaintiffs or true owners of the information that they have done so.

(c)An order requiring all unknown defendants to permanently delete and take down any and all publications of or links to copies of the Affected Dataset of information obtained from it.

(d)Reserving leave to any person affected by these orders to apply to the Court for variation on 48 hours’ notice.

(e)Directing that these proceedings be served on the following to enable them to consider whether to seek leave to intervene and be heard:

(i)Mercury IT Ltd;

(ii)the Office of the Privacy Commissioner; and

(iii)RNZ, NZME, Stuff, Newsroom, BusinessDesk, NBR, The Spinoff, TVNZ, Discovery/Newshub, Whakaata Maori, Waatea Radio.

(f)The confidential affidavit of [redacted] filed in support of this proceeding to be sealed and kept confidential, and not made available for inspection.

(g)For the avoidance of doubt, orders (a), (b) and (c) do not extend to the lawful use by unknown defendants of information, data or documentation that is in, or shall have come into, the public domain lawfully and other than as a result of any dealings by any person with the Affected Dataset or its contents.

(h)The application for interim injunction be placed in the court list for mention on 1 February 2023.

Grice J

Solicitors:

Simpson Grierson, Wellington