Key Takeaways:
- Manage My Health, a patient portal, has suffered a massive data breach, affecting around 6-7% of its 1.8 million registered users.
- The breach includes medical records, discharge summaries, and referral documents, with some data dating back to 2017.
- Patients and healthcare professionals are criticizing Manage My Health’s response to the breach, calling it "shambolic, frustrating, and slow."
- A new ransom deadline has arrived, but it is unclear if Manage My Health will pay the ransom.
- Deceased patients’ records have also been breached, and next of kin need to be contacted.
Introduction to the Breach
The recent cyber attack on Manage My Health, New Zealand’s largest patient portal, has left many patients and healthcare professionals frustrated and concerned. A new ransom deadline has arrived, and the company is facing criticism for its response to the breach. Manage My Health believes the new deadline is 5am on Friday, but it has not disclosed whether it is prepared to pay the ransom. The company’s reaction to the breach has been labeled "shambolic, frustrating, and slow" by the College of GPs president, Luke Bradford.
Criticism of Manage My Health’s Response
The College of GPs and the General Practice Owners Association have expressed disappointment with Manage My Health’s handling of the breach. Patients are struggling to find out if they have been affected, and many have reported that the website has crashed as they try to access their accounts. Angus Chambers from the General Practice Owners Association stated that patients who have not yet been notified are left wondering if their data has been breached. Manage My Health’s latest update claimed that direct notifications to the first 50% of affected patients had commenced, but the company did not provide further clarification.
Patient Experiences
Patients who have been affected by the breach are sharing their experiences, with one patient, Barbara, stating that she was initially told her data had not been breached, only to receive a subsequent email confirming that it had. She was directed to change her password but was unable to do so due to the website crashing. Another patient, who wished to remain anonymous, criticized Manage My Health for not anticipating the surge in traffic to their website. Disability advocate Blake Forbes expressed concern that many people are still in the dark about the breach, causing anxiety and uncertainty.
Breach Details
Manage My Health has appointed an honorary clinical advisor, Emeritus Professor Murray Tilyard, to help manage the breach. Tilyard explained that the breach affects three categories of data: Northland hospital discharge summaries, patient-generated documents, and referral documents. He acknowledged that the breach is significant but varied from practice to practice, with some practices having a higher proportion of affected patients. Tilyard emphasized the importance of identifying patients who are potentially vulnerable and may need more support, including next of kin of deceased patients whose records have been breached.
Security Concerns
Vimal Kumar, a senior lecturer at Waikato University’s Cyber Security Lab, criticized Manage My Health’s response to the breach, stating that it took too long to contact affected patients. He described the breach as "a pretty major one" and expressed concern about the company’s cybersecurity posture. Kumar pointed out that Manage My Health’s website had not properly set up DMARC (Domain-based Message Authentication, Reporting, and Conformance), which is a simple security measure to configure. This raises questions about the company’s overall cybersecurity practices.
Conclusion
The data breach at Manage My Health has caused significant concern and frustration among patients and healthcare professionals. The company’s response to the breach has been criticized as slow and inadequate, and the new ransom deadline has added to the uncertainty. As the situation continues to unfold, it is essential for Manage My Health to prioritize transparency and communication with affected patients and to take immediate action to improve its cybersecurity measures to prevent similar breaches in the future.