Waikato District Health Board ransomware attack

On 18 May 2021, the Waikato District Health Board (DHB) — which ran five hospitals serving more than 400,000 people in New Zealand's central North Island — discovered that its digital systems were failing. Within a day it was confirmed as a ransomware attack, one of the most serious cyber incidents ever to strike New Zealand's public sector.

What happened

The attack, carried out using the Zeppelin ransomware, encrypted servers across the Waikato DHB and took down clinical IT systems and phone lines simultaneously. With patient-record systems, laboratory and radiology results, and internal communications offline, staff were forced into manual, paper-based workarounds to keep caring for patients.

Emsisoft researcher Fabian Wosar described it as the largest Zeppelin breach he had seen. Estimates from security experts put the likely ransom demand in the range of a seven- to eight-figure cryptocurrency sum.

Impact

All five Waikato hospitals were affected; elective surgeries and some outpatient appointments were postponed, and radiation-therapy treatments were disrupted.
Phone systems failed, forcing the DHB to publish alternative contact numbers and divert some services.
On 25 May, attackers claimed to have stolen sensitive patient, staff, and financial data and issued a ransom ultimatum.
The Waikato DHB and the New Zealand government refused to pay the ransom.
In early June, a third party released stolen documents on the dark web, confirming that patient and staff information had been exfiltrated.

Recovery

Restoration was slow and laborious. By 2 June, around half of the DHB's servers had been restored; radiation therapy resumed around 7 June; and by 15 June — roughly four weeks after the attack — most clinical services, record access, laboratory diagnostics, and radiology were back online. Even then, staff continued to rely on manual processes in several areas, and the DHB brought in large numbers of additional IT specialists to rebuild systems.

Why it matters

The Waikato DHB attack was a defining moment for New Zealand cybersecurity, exposing how fragile health-sector IT had become and how directly a ransomware event can endanger patient care. It hardened the government's stance against paying ransoms and fed directly into the national reform that consolidated the country's district health boards into a single entity, Te Whatu Ora / Health New Zealand, with cyber-resilience a central concern. It remains the canonical New Zealand example of ransomware as a public-safety, not merely an IT, emergency.

Timeline

May 18, 2021

Waikato DHB becomes aware that several of its digital systems are not operating normally.

May 19, 2021

The attack is confirmed as ransomware; hospital computer systems and phone lines across the region are knocked offline.

May 25, 2021

An unidentified group claims responsibility, says it has stolen patient, staff, and financial data, and issues a ransom ultimatum.

May 26, 2021

Waikato DHB and the New Zealand government rule out paying the ransom.

June 1, 2021

Stolen documents containing patient and staff data are released on the dark web by a third party.

June 15, 2021

Clinical services are largely restored, roughly four weeks after the attack, though manual workarounds continue in several areas.

Sources

en.wikipedia.orghttps://en.wikipedia.org/wiki/Waikato_District_Health_Board_ransomware_attack

rnz.co.nzhttps://www.rnz.co.nz/news/national/442959/waikato-dhb-enters-third-day-affected-by-cyber-attack

rnz.co.nzhttps://www.rnz.co.nz/news/national/445735/waikato-dhb-ransomware-attack-documents-released-online

rnz.co.nzhttps://www.rnz.co.nz/news/national/443589/waikato-dhb-data-breach-likely-seven-eight-figure-cryptocurrency-ransom-expert

cyberlaw.ccdcoe.orghttps://cyberlaw.ccdcoe.org/wiki/Waikato_Hospitals_ransomware_attack_(2021)

Related incidents

RansomwareResolvedOctober 30, 2021

Newfoundland and Labrador health-system cyberattack

A Hive ransomware attack on Newfoundland and Labrador's health-care network crippled IT systems across the province, forcing the cancellation of thousands of appointments and procedures in what officials called the worst cyberattack in Canadian history.

Victim: Newfoundland and Labrador Centre for Health Information / Eastern Health

RansomwareResolvedOctober 13, 2021

Hillel Yaffe Medical Center ransomware attack

DeepBlueMagic ransomware paralysed Israel's Hillel Yaffe Medical Center, locking every hospital computer system. As a government-owned hospital barred from paying ransom, it ran on paper and alternative systems for weeks, taking roughly two months to fully recover.

Victim: Hillel Yaffe Medical Center

RansomwareResolvedAugust 16, 2021

Moorfields Eye Hospital Dubai ransomware attack

The AvosLocker ransomware gang attacked the Dubai branch of NHS-affiliated Moorfields Eye Hospital, exfiltrating roughly 60 GB of patient and staff data including ID cards, insurance claims and internal records, then dumping it online.

Victim: Moorfields Eye Hospital Dubai

RansomwareResolvedAugust 1, 2021

Lazio Region ransomware attack

A RansomEXX ransomware attack encrypted the datacenter of Italy's Lazio Region, knocking the COVID-19 vaccination booking portal offline for days and triggering a domestic terrorism investigation.

Victim: Regione Lazio