One of the country's largest patient information portals, Manage My Health, today confirmed the first 50% of up to 126,000 patients affected by a data breach had been notified.
The privately-operated patient portal, used by some general practices around New Zealand, earlier this week confirmed it had identified a cyber security incident involving "unauthorised access" to the "My Health Documents" module in the app late last year.
The direct notifications were sent out this morning to email addresses Manage My Health's patients had used to register their account.
"This communication will be personally addressed to the name associated with the account," the company said in an update today.
"A reminder that patients should keep an eye out for anything unusual – MMH will never ask for log-in credentials – and that we are intentionally redirecting MMH mobile app users to the MMH web application so that notification information is consistent across platforms.
"These email notifications will include an 0800 number that impacted individuals can call for support and assistance should they require."
Manage My Health said that based on its findings, 6-7% of the approximately 1.8 million registered users were impacted. That equated to between 108,000 and 126,000 users.
"Information in the Manage My Health core module, in respect of appointments, prescription in the Health Record function have not been accessed and the portal has been independently confirmed as secure."
The first group of affected general practices were contacted on Tuesday.
Manage My Health also reiterated its sincere apology, "for the pain and anxiety this criminal activity has caused to our providers and patients".
The company also clarified that the breach, while previously understood as having involved the "Health Records" module containing data provided by a GP, was limited to the "My Health Documents" module which stored documents, including those uploaded by users.
Data stolen primarily from Northland
ManageMyHealth has begun notifying GPs about which of their patients’ files may have been compromised. (Source: 1News)
The stolen data originated predominantly from Northland, and included approximately 45 general practices in the area; and clinical discharge summaries and historical clinical referral records from the region that was between six and eight years old.
A further 355 "referral-originating" GP practices across a number of regions and personal health information uploaded by patients were also affected.
"We recognise the disproportionate impact that this incident has had on some Northland communities. We are working closely with Health NZ/Te Whatu Ora as the data controller for Northland region documents to ensure those affected receive appropriate support and information," Manage My Health said.
Manage My Health added that it did not automatically delete patient accounts or data when a practice stopped using the platform.
"For example, many MMH users have signed up for accounts that are not linked to doctors and use the many features of the application that are not related to communications with their GP. In addition, many patients change doctors / practices while keeping their MMH account. Accounts remain active unless the patient chooses to close their account, whereupon the data is deleted."
The company said it had received independent confirmation from its cyber security specialists that the current system environment was "secure and operating as intended".
High Court injunction
Health Minister Simeon Brown described the breach as "concerning" and said Health NZ was working closely with ManageMyHealth to ensure it was being appropriately addressed. (Source: 1News)
On Monday, Manage My Health obtained an interim High Court injunction preventing third parties from accessing any stolen data.
On Tuesday, it revealed the scope of the injunction was intended to:
- Restrain third parties from accessing or in any way dealing with the stolen data
- Require anyone with access to the stolen data or any information obtained from it to immediately delete it
- Require anyone immediately delete and take down any and all publications of or links to copies of the affected dataset or information obtained from it.
Manage My Health said an international team was monitoring known data leak websites and were prepared to issue takedown notices immediately if any information was posted.
"As a precaution, patients are encouraged to change their passwords and use multi-factor authentication, especially if they reuse passwords across other services."
The Government had also taken action, with Health Minister Simeon Brown orderiing a review into the response to the cyber security breach.
The hackers, who called themselves "Kazu" posted to the Telegram social media app on Sunday morning demanding the company pay a ransom of US$60,000 (NZ$103,368) within 48 hours. There had since been unverified reports the deadline had been moved to Friday.
All posts referring to the data breach was removed from an account purportedly used by the hacker was removed on Wednesday following the injunction.
Manage My Health also issued a reminder that police advised third parties not to engage with criminal hacker groups.
"Doing so is not in the best interest of those impacted by this incident and can have unanticipated consequences."
SHARE ME