New Zealand’s Manage My Health patient portal has been breached. Photo: Manage My Health
The data of up to 126,000 New Zealand health patients has been held ransom by a hacker who allegedly breached popular patient portal Manage My Health (MMH).
The privately-operated service, used for health information management by numerous patients and general practices in New Zealand, confirmed on New Yearâs Day it had been notified of a âsecurity incident involving unauthorised access to its New Zealand applicationâ.
The company found between six and seven per cent of its approximate 1.8 million users may have been affected by the incident â equating to between 108,000 and 126,000 users.
A sample of the leaked data reportedly included clinical notes, lab results, vaccination records, medical photographs and personal information such as names, emails and phone numbers.
The company said the incident was limited to the âMy Health Documentsâ section of the MMH app.
Chief executive Vino Ramayah described the breach as a simple âpassword accessed intrusionâ, noting the attacker âcame in through the front door using a valid user passwordâ.
He said the company understood âhow personal and sensitive health information isâ and recognised the âstress an incident like this can causeâ.
âOur team is working hard to identify those affected, and to communicate directly and transparently,â he said.
The company has notified the New Zealand Police and the countryâs Office of the Privacy Commissioner.
If they donât pay, Iâll sell it
Information Age understands the data leak first appeared on a prominent hacking forum under a post from a highly active user named âKazuâ.
Kazu stated precisely 428,337 files, totalling 108 gigabytes, had been âdumpedâ on the website on 30 December.
The hacker demanded a ransom of $60,000 by a deadline of 15 January.
âIt will be available for purchase if they donât pay the ransom,â wrote Kazu.
The hacker also provided an alleged sample which anyone with a public internet connection could access directly.
The hacker offers to sell more than 400,000 stolen documents. Source: RNZ
Information Age located Kazuâs forum account and a post matching the date and time of their alleged MMH leak, though all details had been inexplicably removed.
At the time of writing, the post appeared to have accrued more than 1,400 views.
Kazu did not respond when asked for more information about their alleged data theft.
Patients confused as MMH seeks injunction
MMH moved quickly to seek injunction orders from New Zealandâs high court to prevent third parties from âaccessing any data postedâ from the incident and require âanyone immediately delete and take downâ links or publication of the affected dataset.
Further to tasking an âinternational teamâ with leak monitoring and takedown notices, the company reiterated any âunlawful use of private client informationâ would be subject to legal action.
Notably, cybersecurity injunctions have recently stirred controversy for serving as a double-edged sword: while they can restrict cybercriminals, experts warn they can also impede the work of cybersecurity professionals trying to keep victims protected and informed.
Though MMH has started to notify impacted practices this week, droves of New Zealanders have taken to social media to voice confusion on whether their information was impacted.
âI’m getting so anxious about this situation, my medical and mental health records are very personal to me and there are things in there that I’d rather my family not know,â wrote one user on Reddit.
On 5 January the company conceded it âcould have done a better job at communicationâ, but maintained its priority was to âsecure patient data and work on the accuracy of all information before providing it to practices and patientsâ.
Government to review breach after MMH âdrops ballâ
In an interview with RNZ, MMH chief executive Ramayah refused to comment on whether the company would pay a ransom, though he conceded the company âdropped the ballâ.
âI take responsibility⊠I was the founder of this company,â he said.
âI’m not unprepared to step down if there’s a better person who can do a better job than I did.â
On Monday, Health Minister Simeon Brown commissioned the Ministry of Health to review the response to the incident.
“The security of patient information is a matter I take very seriously as minister, and thatâs why I asked officials for options in relation to this incident,” Brown told Information Age.
âManageMyHealth has welcomed the commissioning of the review and has said it will cooperate fully.
âIt has noted that the findings and recommendations will be helpful to the whole sector.â
MMH said it has âfixed the security gapâ that allowed the unauthorised access to occur and has made logins âmore secureâ with âextra checksâ and a limit to the number of times users can attempt successive logins.
MMH has been approached for comment.