Key Takeaways
- Hackers have stolen 400,000 files from 120,000 patients of the health portal Manage My Health and are threatening to release them unless a ransom of US$60,000 is paid.
- Patients whose GPs have stopped using Manage My Health may still have their historical data stored on the platform, unless they have manually cancelled their account.
- Manage My Health is working on notifying affected patients and will begin sending notifications via email within the next 24 hours.
- The company is advising patients to change their passwords regularly and use two-factor authentication to protect their accounts.
- The privacy commissioner’s website states that health agencies should not keep medical information for any longer than they have a lawful purpose for using it.
Introduction to the Data Breach
A serious data breach has occurred at the health portal Manage My Health, with hackers stealing 400,000 files from 120,000 patients. The hackers are threatening to release the stolen data unless Manage My Health pays a ransom of US$60,000. The breach has raised concerns about the security of medical records and the responsibility of healthcare providers to protect patient data. Manage My Health has begun notifying general practices about the breach and is working on informing individual patients.
The Impact on Patients
Many patients have been affected by the breach, including those whose GPs have stopped using Manage My Health. These patients may still have their historical data stored on the platform, unless they have manually cancelled their account. One patient, who wished to remain anonymous, reported being "horrified" to discover that her intimate medical information was still stored on Manage My Health, even though her GP had stopped using the platform in 2020. She felt a sense of betrayal and questioned why her GP had not advised her to cancel her Manage My Health account.
Manage My Health’s Response
Manage My Health chief executive Vino Ramayah has confirmed that the company holds on to patient records unless a patient cancels their account. He advised patients to have "a level of personal diligence" with their Manage My Health accounts, including changing their passwords regularly and using two-factor authentication. Ramayah also encouraged patients to consider security as a key part of their thinking, especially when using healthcare apps. Manage My Health has begun notifying affected GPs and is working on establishing an 0800 helpline for impacted patients.
Regulations on Medical Record Retention
The privacy commissioner’s website states that health agencies should not keep medical information for any longer than they have a lawful purpose for using it. According to the Health (Retention of Health Information) Regulations 1996, health agencies must keep health records for 10 years from the last time they provided services to a patient, unless the records have been transferred to a new healthcare provider or given to the patient. This raises questions about the responsibility of healthcare providers to retain medical records and the potential risks of storing sensitive information for extended periods.
Notifying Affected Patients
Manage My Health has stated that it will begin notifying affected patients via email within the next 24 hours and hopes to complete this process by early next week. The company will also establish an 0800 helpline for impacted patients and provide them with information on how to access more support. The notification process is a critical step in ensuring that patients are aware of the breach and can take steps to protect their personal and medical information.
Conclusion
The data breach at Manage My Health highlights the importance of protecting medical records and the need for healthcare providers to prioritize patient data security. Patients must be vigilant in monitoring their accounts and taking steps to protect their sensitive information. The breach also raises questions about the regulations surrounding medical record retention and the potential risks of storing sensitive information for extended periods. As the notification process continues, patients and healthcare providers must work together to ensure that patient data is protected and that those affected by the breach receive the support they need.
