Key Takeaways:
- ManageMyHealth, a patient data app, has confirmed a security incident involving unauthorized access to its platform, potentially affecting 6-7% of its 1.8 million registered users.
- The company claims to have fixed the flaws in its code and has received independent confirmation from IT experts.
- Affected users will be contacted in the coming days, and the company is working with government agencies to protect patient privacy.
- The incident has raised concerns about data security and the risks of cutting IT staff in the public health system.
- Users can take steps to protect their accounts, including resetting their passwords and enabling two-factor authentication.
Introduction to the Incident
The operators of ManageMyHealth, a patient data app, have announced that they have received independent confirmation from IT experts that the flaws in its code have been fixed. This comes after the company confirmed a security incident involving unauthorized access to its platform, which may have affected between 6 and 7 percent of its approximately 1.8 million registered users. The incident has raised concerns about data security and the potential risks to patient privacy.
Details of the Breach
According to ManageMyHealth, only one part of the app, Health Documents, was accessed by hackers, and not the whole app. The company has stated that it now has the complete list of people whose documents may have been accessed and expects forensic confirmation of the documents affected in the coming days. Affected users will be contacted in the coming days, following confirmation of forensics and liaison with Primary Health Organisations (PHOs) and General Practitioners (GPs) to ensure that individuals are getting the right information, in line with Privacy Act requirements.
Security Measures
The company has taken steps to address the security gaps that allowed hackers to access documents. The specific gaps have been identified and closed, and the fix has been independently tested and verified by external cybersecurity experts. Additionally, logins have been made more secure, and the number of access attempts in a short time has been limited. Users can also take steps to protect their accounts, including resetting their passwords or enabling two-factor authentication (2FA) where available, including biometric measures. Furthermore, users can now authenticate themselves using Google and Microsoft authenticator apps.
Government Response
The Health Minister, Simeon Brown, has stated that government agencies are working with ManageMyHealth to fully understand the scope of the breach and to protect the privacy of patients. An incident management team has been established to support ManageMyHealth, and the Minister has asked for advice from the Ministry of Health on options for an independent review of what occurred. The Public Service Association has warned that the incident is a warning to government departments shedding IT staff, citing the risks of compromising data systems.
Consequences and Next Steps
The incident has raised concerns about the risks of cutting IT staff in the public health system. The Public Service Association has stated that the incident is a "ticking time bomb" and that the risks are too high to play fast and loose with data systems. ManageMyHealth is working with the police, Health NZ, and the privacy commissioner to address the incident and is setting up a dedicated 0800 number and online helpdesk to help affected patients. Users are advised to keep an eye out for anything unusual, such as medical bills or insurance claims they don’t recognize, or unexpected letters from healthcare providers, and to contact the relevant provider immediately if they notice anything suspicious.
Conclusion and Recommendations
In conclusion, the security incident involving ManageMyHealth highlights the importance of prioritizing data security and investing in IT staff to protect patient privacy. The company’s swift response and efforts to address the incident are commendable, but more needs to be done to prevent such incidents in the future. Users can take steps to protect their accounts, and the government must take a closer look at its IT staffing and cybersecurity measures to prevent similar incidents from occurring. By working together, we can ensure the security and privacy of patient data and prevent such incidents from happening in the future.
