ManageMyHealth says code fixed, security tightened after hack
· RNZThe operators of compromised patient data app ManageMyHealth say they have received "independent confirmation" from IT experts the flaws in its code have been fixed.
ManageMyHealth confirmed last week it had identified a security incident involving "unauthorised access" to its platform. It believed between 6 and 7 percent of the approximately 1.8 million registered users may have been impacted.
On Saturday it said just one part of the app - Health Documents - had been accessed by hackers, and not the whole app.
"We now have the complete list of people whose documents may have been accessed and expect forensic confirmation of the documents effected (sic) in the coming days," the company said in a statement.
Affected users would be contacted in the coming days, it said, "following confirmation of forensics and liaison with PHOs and GPs to ensure that individuals are getting the right information, in line with Privacy Act requirements".
The "specific gaps" that allowed hackers to access documents had been identified and closed, the company said.
"This fix has been independently tested and verified by external cybersecurity experts."
Logins had been made more secure, the statement assured, and the number of access attempts in a short time limited.
"For peace of mind, any Manage My Health user can reset their password or enable two-factor authentication (2FA) where available including biometric measures, to add an additional layer of protection to their accounts."
Users could now authenticate themselves using Google and Microsoft authenticator apps, the company said.
"In addition, keep an eye out for anything unusual, such as medical bills or insurance claims you don't recognise, or unexpected letters from healthcare providers. If you see anything that looks odd to you, contact the relevant provider immediately."
Earlier on Saturday, Health Minister Simeon Brown said government agencies were working with ManageMyHealth to fully understand the scope of the breach and to protect the privacy of patients.
"This is a concerning breach of patient data and Health NZ is working closely with ManageMyHealth to ensure it is being appropriately addressed," he said.
"At this stage, there is no evidence any Health NZ systems, including My Health Account, have been compromised as ManageMyHealth has separate systems."
Shortly before midday on Saturday he said an incident management team had been established to support ManageMyHealth.
Brown said he had asked for advice from the Ministry of Health on options for an independent review of what occurred.
The Public Service Association said the incident was a warning to government departments shedding IT staff.
"We have seen it before in the public health system with the Waikato Hospital ransomware attack in 2021, and yet this government failed to heed that lesson in forcing Health NZ to cut the jobs of experts running digital services," national secretary Fleur Fitzsimons said.
"The risks are too high to play fast and loose with data systems - it's a ticking time bomb."
ManageMyHealth said it was working with the police, Health NZ and the privacy commissioner, and setting up a dedicated 0800 number and online helpdesk to help affected patients.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.