Key Takeaways:
- A major ransomware incident occurred at Manage My Health, a private company that runs an online portal used by private healthcare providers in New Zealand.
- Hundreds of thousands of people are affected, with an estimated 430,000 patient files stolen in the breach.
- The hackers demanded a ransom of US$60,000 and threatened to release the files if it wasn’t paid.
- The breach has highlighted the importance of data security and raised questions around accountability and action.
- The Ministry of Health has been tasked with a review of the response to the breach, which is due to start before the end of the month.
Introduction to the Breach
A massive data breach has affected hundreds of thousands of New Zealanders, with hackers targeting Manage My Health, a private company that runs an online portal used by private healthcare providers. The breach was confirmed by the company in a January 1 statement, and more details have since emerged, including the fact that hundreds of thousands of people are affected, the Privacy Commissioner is involved, and the government has called for a review into the response. The breach has also raised concerns about the security of online healthcare services and the potential risks to affected users.
The Breach and Its Impact
The breach occurred when hackers accessed a single "health documents" module containing user-uploaded files, specialist referral letters, and hospital discharge summaries. An estimated 430,000 patient files were stolen in the breach, which Manage My Health became aware of on December 30. The hackers demanded a ransom of US$60,000 and threatened to release the files if it wasn’t paid. The breach has affected 125,000 users and 355 "referral-originating GP practices," with Northland being disproportionately affected. The region is the only one in the country where Health NZ, the government’s public healthcare provider, uses Manage My Health to share information with patients.
The Hackers and Their Demands
The hackers, who go by the name "Kazu," have been in contact with the media, explaining their rationale and methodology behind the hack. They claim to target healthcare companies and set ransoms at affordable levels, which they allege most targeted companies end up paying. The hackers have also outlined their demands, including the payment of the ransom, and have threatened to release the stolen files if their demands are not met. The New Zealand government has recommended not paying the ransom, as payment does not guarantee that the data will be returned.
Manage My Health’s Response
Manage My Health has apologized for the breach and has taken steps to notify affected users and provide support. The company has set up an 0800 helpline and has filed an urgent injunction against "unknown defendants" with the High Court to prevent third parties from accessing any leaked data. However, the company’s response has been criticized as "shambolic, frustrating, and slow" by the College of GPs, and Health Minister Simeon Brown has questioned the company’s communication with users. Manage My Health has admitted that it "could have done a better job at communication" and has welcomed the government’s review of the response to the breach.
The Government’s Response
The Ministry of Health has been tasked with a review of the response to the breach, which is due to start before the end of the month. The review will examine the circumstances surrounding the breach and the response to it, and will make recommendations for improving data security and protecting patient information. The government has also emphasized the importance of data security and the need for healthcare providers to take steps to protect patient information. The breach has highlighted the need for government-enforced data security standards and the importance of accountability and action in responding to data breaches.
The Risks and Consequences
The breach has significant risks and consequences for affected users, including the potential for identity theft, cyber theft, and blackmail. Personal details obtained from the breach, such as names, birth dates, and phone numbers, could be used for cyber thefts like accessing bank accounts. Health records can contain highly sensitive information, and scammers can use knowledge of patients to pose as their doctors. The breach has also raised concerns about the potential for trauma and harm to users, particularly those who have experienced sexual assault, family violence, or stigmatized conditions. The fact that a data breach of this magnitude happened could result in the "newly tech-wary" public having reduced trust in online services and the healthcare system.
Conclusion and Next Steps
The breach at Manage My Health has highlighted the importance of data security and the need for healthcare providers to take steps to protect patient information. The government’s review of the response to the breach is a welcome step, and it is hoped that it will lead to improvements in data security and accountability. In the meantime, affected users are advised to take steps to protect themselves, including changing their passwords and turning on two-factor authentication. The breach is a wake-up call for the healthcare industry, and it is essential that lessons are learned and action is taken to prevent similar breaches from occurring in the future.