Information Regulator demands details on cyberattack from National Health Laboratory Service

23 Mar 2025

South Africa’s Information Regulator has written to the National Health Laboratory to gather information on whether the organisation was compliant with the Protection of Personal Information Act at the time of a devastating cyberattack in July 2024.

The National Information Regulator has demanded details on the protection of personal information that was in place at the time of a devastating cyberattack at the National Health Laboratory Service (NHLS) in July 2024.

Regulator spokesperson Nomzamo Zondi said they are not investigating the cyberattack itself but want to determine compliance with the Protection of Personal Information Act (Popia).

This would mean that those whose information was compromised must be notified and this notification must include:

A description of the possible consequences of the security compromise;

A description of the measures that the responsible party (the NHLS) intends to take or has taken to address security;

A recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise;

If known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information; and

Whether the responsible party had reasonable technical and organisational measures in place to protect the integrity and confidentiality of personal information in its possession or under its control in terms of the law.

“We have sent the NHLS a detailed correspondence requesting more information on the incident of which the NHLS provided. We are studying the information with a view to either conducting a full investigation or an own-initiative assessment,” Zondi added.

Read more: Cyber hack attack – how one click on an email link paralysed SA’s National Health Laboratory Service

Zondi said they have in the past fined one government department, the Department of Justice and Constitutional Development, for not complying with legal measures to keep personal information safe.

In July 2023, that department was fined R5-million for failing to comply with an enforcement notice compelling it to upgrade its antivirus software.

The notice had required the department to submit proof to the Regulator within 31 days of receipt of the notice that the Trend Anti-Virus licence, the SIEM licence (security information and event management) and the Intrusion Detection System licence had been renewed. It also required the department to institute disciplinary proceedings against the official or officials who failed to renew the licences, which are necessary to safeguard the department against security compromises.

This followed a ransomware attack in 2021 that led to all information systems being encrypted. Neither employees nor members of the public could access information and this included letters of authority, bail services, e-mail and its website.

In 2024, the same department suffered another cyberattack that compromised the child maintenance payout system.

This month, while testifying before the parliamentary portfolio committee on health, the CEO of the NHLS admitted that its IT systems were out of date and could not be updated, and its staff were not fully apprised of the danger of clicking on unknown links when its system was hacked in June 2024.

Patient information, however, was held on a separate server and was not compromised, but the data warehouse where historical information was kept was also rendered out of bounds by the attack. It is understood that the system used by the NHLS uses a unique identifying number for tests and these are later linked to patients.

Parliament heard that security upgrades to the IT system were not possible and it was vulnerable to attack because of several IT-related issues at the service. Acting IT executive manager John Mukomana said the NHLS was still working to get its IT system up to “minimum acceptable standards”.

BlackSuit, an extortion syndicate, gained access to the NHLS’s database on 21 June 2024 after an employee clicked on a phishing link, said the service. In previous statements, it explained that the hackers used ransomware that encrypts data until the syndicate is paid, in effect freezing the system. The ransom was not paid, it added.

The NHLS is the public sector medical laboratory and 400,000 tests are done per day. It is one of the cornerstones of South Africa’s fight against HIV and TB and a critical part of the public health system.

Most significantly, the attack rendered the TrakCare laboratory information system unusable, so although it was possible for medical tests to be done, the results could not be seen by the requesting doctors. The laboratory information system allows for the uploading of test results so that doctors can view them on their side.

Mukomana said most of the NHLS’s IT infrastructure was out of date. “We were not able to update our systems or put security patches in place,” he said.

Since the attack, however, extensive upgrades have been made to the service’s security measures.

“We need to improve our governance structures,” Mukomana added. “Also, IT issues must be listened to.”

He said that before the attack there was a lack of IT skills at the NHLS and even its executive was lacking technology skills.

The CEO of the NHLS, Professor Koleka Mlisana, told Parliament that they are investing at least R300-million in strengthening their IT systems, with more that needs to be done. This included R15-million for security operations services for three years; R28-million for new desktops and laptops; R164-million for safe switches, firewalls and enhanced security for five years; and R94-million for an upgrade of the data warehouse. DM

Categories:

Tags:

DM is much better if you are signed in...

Sci-Tech