GPs worried by lack of information on ManageMyHealth data breach
· RNZA cyber security breach at ManageMyHealth has been "contained", according to the company - but GPs and patients are still waiting to hear if their health records have been compromised.
The government is also seeking assurances, with duty minister Karen Chhour saying the breach was "incredibly concerning" for patients.
"The minister of health has asked for urgent assurances from Health NZ and Manage My Health that everything is being done to protect patient data and patient privacy. We also expect Manage My Health to communicate transparently to ensure public confidence in their product."
The country's largest patient information portal on Wednesday confirmed it had identified a cyber security incident involving "unauthorised access" to its platform.
Chief executive Vino Ramayah said the incident had been contained and was currently under investigation.
"We are working closely with the relevant authorities and independent cybersecurity specialists, and we will provide updates through formal statements as further information is confirmed," he said.
"I want to assure our users, customers, and stakeholders that we take the protection of your health information extremely seriously.
"We recognise the concern that this situation raises, and I want to reassure you that it is being treated with the utmost seriousness."
The immediate priority was ensuring the integrity and security of ManageMyHealth's systems, he continued.
"As you will appreciate, it is important that any information we provide is accurate and verified. We thank you for your patience and will continue to share updates with you as information becomes available."
A Health New Zealand spokesperson told RNZ it was working "closely" with the app's operators.
"Health New Zealand is aware of the cyber security incident at ManageMyHealth and is working with them to understand any impacts.
"As this incident is directly impacting ManageMyHealth we refer you to them for any updates."
Outdated encryption
Cyber security expert Daniel Ayers said ManageMyHealth was using an outdated encryption protocol, TLS 1.2 from 2008, and more than 1 million people might be affected.
"I had a quick look at the ManageMyHealth portal this morning after I heard about the data breach, and I see that they claim that their IT security is really good, but when I had a quick look at it, they don't use or don't support the latest version of the most important encryption protocol, TLS, and I'd expect that from a health site that takes IT security seriously."
Ayers says it was a large data breach, even by worldwide standards and catastrophic on the New Zealand scale.
"ManageMyHealth say that over their entire period, they've supported 1.8 million Kiwis. The data breach claim says 428,000 files. So it's hard to know. But at 108 gigabytes, that's a pretty large data breach, and it looks like it's going to be much larger than the Waikato DHB data breach, which affected just over 4000 people."
Ayers said the claim of a ransomware attack should be taken seriously.
A cyber crime group, Kazu, said it had compromised approximately 108 gigabytes of information, totalling over 400,000 files. It has set a ransom demand of $60,000 by 15 January.
"Well, we don't have much information about the hacking group, but the way that this has come to pass and been published is consistent with the way these things normally go, so we have to take the threat of the ransom seriously.
"Similar thing happened with the Waikato DHB several years ago, and that was a really major incident. So, you know, there is ground for people to be concerned here."
GPs' critical of lack of information
However, the dearth of communication has left family doctors worried.
The president of the College of GPs, Dr Luke Bradford, said he only learned about the potential breach through the media.
"It's terribly disappointing. They're an absolutely key tool that we use for patients. It allows patients to access their records and better manage their health, literally.
"But if their data's not safe, then their very personal information is not safe, and that's really concerning."
It was "terrible timing", with most practices now closed for four days, he said.
"We're going into this period without any formal communication about what's involved in the breach and what can be done about it."
General Practice NZ chair Dr Bryan Betty agreed the situation was extremely worrying.
"Health data in terms of patients is incredibly important, and any breach like this has to be taken extremely seriously and has to be actioned as a matter of urgency," he said.
"There should be obviously free and open transparency about the situation and what's actually happened, both for patients and practices that use the ManageMyHealth portal.
"So I would expect that to be part of their management of the present situation."
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.