A cyber security breach that brought Waikato District Health Board to its knees took out one of the country's four regional cancer hubs, prompting the Cancer Control Agency to declare a national emergency to get patients with life-threatening cancer conditions moved to other hospitals.

Radiation treatment at Waikato Hospital, where a regional cancer hub operates, was one of dozens of services rendered unavailable after the ransomware attack on May 18.

Cancer Control Agency, Te Aho o Te Kahu chief executive Diana Sarfati stopped short of calling the situation a crisis but says it's 'incredibly anxiety provoking” for patients.

'There was a crisis in that a cyberattack took out a major hospital. We were certainly treating it as an urgent situation that needed to be addressed.”

According to a contingency planning document put together in the aftermath of the attack and released by the DHB under the Official Information Act, at least 30 cancer patients were transferred including to private hospitals in Wellington and Tauranga, and Auckland's public hospital.

'Patients that went to Auckland needed to be seen within hours,” Sarfati says.

'These were patients who were very acutely unwell. [For example]… if a patient had pressure on the spinal chord which can result in paralysis.”

Other cancer patients whose treatment was not life-threatening faced minor delays, Sarfati said, but a crisis in providing cancer treatment was avoided because Te Aho o Te Kahu was able to co-ordinate with other hospitals to provide capacity.

'The patients were relocated very quickly and they were very grateful. But the delays were not great and of course it's incredibly stressful for people in the middle of cancer treatment or due to start.”

No patients were sent overseas and Sarfati says at no point did Te Aho o Te Kahu consider it because both Melbourne and Sydney were in the middle of a Delta surge.

Sarfati says all cancer treatment has now resumed at Waikato DHB.

'Radiation got up and running quite quickly at the beginning. The biggest difficulty was the information systems and that has taken longer but they have really done an incredible job to provide continuous care.”

She says the Ministry of Health is now 'looking at how to secure systems”. 'There's a lot of work going on to ensure as great a security as possible.”

A Ministry of Health spokesperson says a cyber security assurance review of the Ministry and all DHBs was underway and was expected to be completed later this month.

The review was initiated by DHB chief executives and deputy director general of data and digital Shayne Hunter in response to the Waikato breach, and would provide assurance of continued improvement to cyber security systems to ensure they were resilient to any future cyberattack.

The contingency planning document shows Waikato Hospital was in chaos after the attack, as staff grappled with paralysed information technology systems, and the disorder was widespread.

In children's health, lab services such as for blood tests were reduced to critical samples only and large reports for clinically complex children could not be completed.

Many online capabilities had to be moved to paper-based systems such as referrals, admissions, transfer, clinic appointments, location of patients and patient alerts.

There was no eligibility status for patients, patient NHI [National Health Index] numbers were unavailable meaning doctors couldn't keep track of them, daily news updates were not getting through to staff without phones, staff rosters were down and in women's health the delivery suite theatre bookings were in question.

The child protection team was unable to upload alerts to a national system, there was no access to local alerts for the vulnerable unborn, had no visibility of Ōranga Tamariki cases entered prior to the breach, and staff were unable to see who was booked into violence intervention training.

Some regional DHBs blocked Waikato emails and faxes making updates to them on babies from those regions in Waikato Hospital's Newborn Intensive Care Unit [NICU] difficult.

In women's health gynaecology patients were told not to come in for their appointments which were rescheduled, women who turned up for antenatal clinics had to identify themselves while scans of their babies could not be saved, and staff had to manually go through every elective caesarean section booking.

The 42-page document shows patient safety was compromised in the intensive care unit [ICU] because of limited access to each patient's history, specialist clinics were cancelled, incoming emergency patients with less severe injuries or illness were redirected to Auckland, and surgeries were limited to patients that did not require radiology or laboratory services.

In other departments, clinicians were disconnected from the network, turning to bedside monitoring of critical patients in ICU and the high dependency unit; errors were reported in handwritten NHI numbers; there was no ability to send electronic Covid reports from the lab; patients trying to call couldn't get through; CCTV and parking pay stations were down, and even dietary requirements couldn't be accessed for patients being fed in hospital.

The DHB has now recovered from the attack and continues to investigate the cause.