Waikato District Health Board will not be fined for patient data being hacked, but it may face liability if harm is caused from it, the Privacy Commissioner says.

Some patient information was published yesterday on the dark web after the ransomware attack that crippled five hospitals' IT systems in May.

The information was reported to have included bank details, drivers' licences and passports.

Privacy Commissioner John Edwards told RNZ's Morning Report while the information was not widely available, it was still accessible to malicious actors and that was troubling.

"We don't really know the extent yet, we've seen a couple of screenshots of different directories which show different categories of information but we don't know how much of the information that has been taken from the DHB has ended up accessible there."

If it becomes more predominant, they could ask search engines to block links to it.

"Whether they accede or not, we don't know. We don't have a right to de-link in this country as they do in other countries," Edwards says.

The risk was that it could result in harm through identity theft and malicious actors fraudulently obtaining credit.

"I would encourage anybody who is concerned about that to exercise their rights under the credit reporting privacy code, to get a credit freeze or suppression of their information," Edwards says.

"That would stop their credentials being used to open credit contracts."

He says he did not believe the attackers would succeed in their bid to obtain a ransom, with officials previously stating they would not give in to those demands.

The onus was on the DHB to try and secure the data and assist victims by notifying them if they were involved and where to get help, he said.

"They have an 0800 number for anybody who is concerned about their data being included in the hack [0800 561 234]."

In addition, IDCARE was also available to provide support for victims of ID theft on 0800 121 068.

While there were no penalties for the DHB, they could still face liability if an intensive investigation could prove that, Edwards says.

"If somebody has suffered some loss or considerable distress as a result of having their information included in the hack and it can be shown that the DHB failed in its duty to take reasonable care, then there could be a liability,” he explains.

"But there would have to be a reasonably extensive and forensic process of investigation to determine whether that liability arose."

In a statement yesterday, the DHB says it has taken steps to notify affected staff and patients of the previous leak and was working closely with the commissioner to meet its obligations.

"The DHB has obtained this material and is now working through it to understand the content and will thereafter notify affected patients and staff."

It is not clear how many patient and staff files are involved in total.

Patients' Rights Advocacy Waikato chairperson Carolyn McKenzie says it was a very concerning development, given the information could be used any time in the future.

"I think that'd make them feel extremely insecure and very angry and really who can you blame. How much money can they afford to spend on something like that, and you still won't be secure."

RNZ