A cybersecurity group says it's identified the person responsible for hacking into the Manage My Health portal, and now it wants justice served.
The privacy breach is one of the biggest in New Zealand's history, after hackers gained access to health data being held by the privately owned patient records company, Manage My Health.
Those responsible, a hacker who calls themselves Kazu, demanded $US60,000 ($NZ100,000) for the stolen data.
Manage My Health has been granted a High Court injunction preventing anyone from accessing or sharing the stolen data.
Kazu had previously published samples of the leaked information online.
Earlier this month, all posts referring to Manage My Health had been removed from the page.
The International Online Crime Coordination Centre (IOC3) has been tracking Kazu, following the breach.
It targets online harm, including child exploitation, grooming, extremism and fraud.
The group has shared its investigation with RNZ. We have agreed not to name the person believed to be behind Kazu or details that could jeopardise a further investigation.
They have also alerted the authorities.
IOC3 executive director Caden Scott said they needed to be careful.
"We're just mindful that we're still looking into this individual, and we don't want to mistakenly drive this person underground by making them aware that there are these kinds of investigations ongoing into them."
Scott said they wanted to see the person behind the attack arrested.
"We definitely want justice," he said.
"We want this person to be looked into and this person to be arrested as a result of their actions. They've definitely committed a plethora of crimes there, and this isn't the only attack that they've done. They've attacked numerous other institutions from across the entire globe."
He said health companies hold extremely sensitive data.
"When you look at healthcare institutions, or anything like that, especially ones that hold a lot of people's very personal data, often times they don't really have that choice in paying the ransom or not paying the ransom," Scott said.
"These are very sensitive topics and very sensitive information, so a lot of times it's best to do whatever possible to stop that information getting out."
Scott encouraged victims of ransomware attacks not to pay the hackers.
"Paying that ransom doesn't guarantee that the data isn't going to be leaked," he said.
"They might ask you for half a million dollars, you pay that, and then they decide: 'Well, can also sell this database to everyone as well and make even more money'."
It was better to go through law enforcement, Scott said.
The National Cyber Security Centre's chief operating officer Mike Jagusch said they were aware of information in the public domain identifying those who've claimed responsibility for the attack on Manage My Health.
He said they were working with police, Health New Zealand, and other agencies to reduce the impact of the breach and prevent further exploitation of the leaked data.
"At the National Cyber Security Centre, we have a range of tools and information it uses to help establish the identity of malicious actors," he said.
"This process is called attribution, and it can be very complex. It requires significant analysis to have the necessary level of confidence to attribute activity to an actor or group."
Jagusch said public attribution of cyber activity to a group or state is a whole-of-government process, and was undertaken when it was in the national interest to do so.
