One of the country's largest patient information portals, ManageMyHealth, today confirmed it has begun notifying affected general practices following a data breach impacting up to 126,000 users.
The privately-operated patient portal, used by some general practices around New Zealand, earlier this week confirmed it had identified a cyber security incident involving "unauthorised access" to its Health Documents module in the app late last year.
ManageMyHealth said that based on its findings, 6-7% of the approximately 1.8 million registered users were impacted. That equated to between 108,000 and 126,000 users.
"Information in the Manage My Health core module, in respect of appointments, prescription in the Health Record function have not been accessed and the portal has been independently confirmed as secure."
In an update on Tuesday afternoon, the software company said it had "now notified the first group of affected general practices and unaffected practices in a communication that was distributed on the afternoon of January 5".
ManageMyHealth believed between 6% and 7% of the approximately 1.8 million registered users may have been impacted. (Source: 1News)
"We have advised the affected practices that the independent forensic investigation has confirmed that some patients associated with their practice have been affected, and are providing resources to help them respond to any patient inquiries."
On Monday, ManageMyHealth obtained an interim High Court injunction preventing third parties from accessing any stolen data.
Today, it revealed the scope of the injunction was intended to:
- Restrain third parties from accessing or in any way dealing with the stolen data
- Require tanyone with access to the stolen data or any information obtained from it to immediately delete it
- Requireanyone immediately delete and take down any and all publications of or links to copies of the affected dataset or information obtained from it.
The Government has also taken action, with Health Minister Simeon Brown orderiing a review into the response to the cyber security breach.
The hackers, who called themselves "Kazu" posted to the Telegram social media app on Sunday morning demanding the company pay a ransom of US$60,000 (NZ$103,368) within 48 hours. There had since been unverified reports the deadline had been moved to Friday.
'Pain and anxiety': ManageMyHealth issues apology
Health Minister Simeon Brown described the breach as "concerning" and said Health NZ was working closely with ManageMyHealth to ensure it was being appropriately addressed. (Source: 1News)
GPs were advised that a list of enrolled patients affected by the breach was available in its secure Provider Portal.
"We have recommended that practices review the list and advise us of any concerns about any vulnerable patients receiving notifications, so that we can provide appropriate support.
"Features on the Manage My Health app which allow practices to see if they are affected have now also gone live to assist practices. We are working on a process to inform practices who have left Manage My Health."
The software company added that it was "currently working through the Privacy Act notification process for each affected individual, in conjunction with Health NZ and the Office of the Privacy Commissioner".
"MMH is taking on this responsibility on behalf of the practices, to which the information is being provided so that practices can provide support after individuals have been notified. Privacy Act notifications will go to practices through Manage My Health, together with details of how more information and support can be accessed."
An 0800 helpline number would also be set up to provide advice and support for affected patients.
Features on the portal's app would also go live soon to allow affected individuals to determine if any of their documents had been impacted by the breach.
"We continue to work around the clock and closely with authorities and agencies to respond to this incident and resolve the matter for patients and general practices.
"We sincerely apologise for the pain and anxiety this incident has caused to our providers and patients, as a result of this activity against our systems."
Patients or GPs with concerns or questions regarding the breach had been asked to email ManageMyHealth directly at: info@managemyhealth.co.nz
SHARE ME