A High Court injunction has been granted in an attempt to stop information hacked from the ManageMy Health app being shared.
The Government has also taken action, with Health Minister Simeon Brown today commissioning a review into the response to the ManageMyHealth cyber security breach.
The privately-operated patient portal used by some general practices around New Zealand confirmed it had identified a cyber security incident involving "unauthorised access" to its Health Documents module in the app late last year.
ManageMyHealth believed between 6% and 7% of the approximately 1.8 million registered users may have been impacted - approximately between 108,000 and 126,000 users.
Speaking to media this afternoon, Brown said he understood ManageMyHealth had applied for a High Court injunction to prevent stolen information being shared.
The injunction was confirmed by ManageMyHealth in an update to members on Monday afternoon. "ManageMyHealth has today been granted injunction orders from the High Court preventing third parties from accessing any data posted as a result of the incident.
"We have an international team monitoring known data leak websites and are prepared to issue takedown notices immediately if any information is posted.
"A cyber-attack is criminal activity, and any unlawful use of private client information will be subject to legal action and takedown orders. Any ransom demand is a matter for NZ Police and ManageMyHealth will not be making any comment in this regard, as it is an ongoing investigation."
Experts warn of extortion threat as time ticks on health breach - Watch on TVNZ+
Brown also said a ransom should not be paid to the hackers, as “there is never a guarantee they will abide by doing what they say they will do”.
“They are criminals. They are trying to use people’s most personal information to extort money from this company.
“The Government has a policy and always recommends to parties to not pay, that’s been the longstanding approach.”
In a statement earlier today, Brown said he had "decided to commission the Ministry of Health to lead a review of the ManageMyHealth and Health New Zealand’s response".
"I know this breach will be very concerning to the many New Zealanders who use ManageMyHealth, and we need assurances around the protection and security of people’s health data," he said.
"Patient data is incredibly personal and whether it is held by a public agency or a private company, it must be protected to the highest of standards."
The hackers, who called themselves "Kazu" posted to the Telegram social media app on Sunday morning that unless the company paid a ransom of $60,000 within 48 hours, they would release more than 400,000 files in their possession, RNZ reported.
According the The Post, some information had already been uploaded.
Health Minister Simeon Brown described the breach as "concerning" and said Health NZ was working closely with ManageMyHealth to ensure it was being appropriately addressed. (Source: 1News)
Brown said the review would; assess the cause(s) of the incident, review the adequacy of the data protections that were in place and the response to the incident, and recommend any improvements required to prevent similar incidents occurring.
“I have written to the Director-General of Health asking that the review will commence no later than January 30.
"While this review should commence as soon as possible, it is important that the focus continues to be on the immediate response to the incident and that we do not distract from this response."
He said an incident management team had been meeting daily to coordinate advice and support across government agencies.
"In the meantime, I expect the Ministry to develop Terms of Reference, in consultation with the Government Chief Digital Officer and the National Cyber Security Centre, and a timeline for the review process."
Health New Zealand advised there had been no impact on its systems.
"It is working with primary care providers through General Practice New Zealand to clarify the potential impact on patients and general practices. General practices remain open and providing services."
On Saturday, ManageMyHealth said it identified and fixed the security gaps which was "independently tested and verified by external cybersecurity experts", and had made log-ins more secure and re-secured all health documents.
SHARE ME