Key Takeaways
- A new ransom deadline has arrived for Manage My Health, the country’s largest patient portal, following a massive data breach that has affected thousands of patients.
- The breach has been criticized for its slow and frustrating response, with many patients still in the dark about whether their data has been compromised.
- The breach has affected a range of medical practices, including GP practices, clinical discharge summaries, and historical clinical referral records.
- Manage My Health has been accused of having poor cybersecurity measures in place, including not having a properly set up DMARC (Domain-based Message Authentication, Reporting, and Conformance) system.
- The breach has caused significant anxiety and concern for patients, with some expressing frustration and worry about the potential consequences of their data being compromised.
Introduction to the Data Breach
A new ransom deadline has arrived for Manage My Health, the country’s largest patient portal, as criticism mounts over its response to a massive data breach. The breach, which is believed to have affected thousands of patients, has been described as "shambolic, frustrating, and slow" by the College of GPs. The college’s president, Luke Bradford, expressed frustration with the lack of information and communication from Manage My Health, saying that patients and GPs are still in the dark about the extent of the breach. Manage My Health has stated that it believes the new deadline is 5am on Friday, but it has not indicated whether it is prepared to pay the ransom.
Criticism of Manage My Health’s Response
The response to the breach has been widely criticized, with many patients and GPs expressing frustration and anxiety. Angus Chambers from the General Practice Owners Association said that it was taking too long for Manage My Health to contact patients, leaving many wondering whether their data had been breached. Manage My Health has stated that it has commenced direct notifications to the first 50 percent of patients affected, but it has not provided further information on the status of the notifications. The website has also been experiencing technical issues, with many patients reporting that it has crashed as they try to find out if they have been affected.
Patient Experiences
Patients who have been affected by the breach have expressed significant concern and anxiety about the potential consequences of their data being compromised. One patient, Barbara, told RNZ that she was initially told that her data had not been breached, only to be told two days later that it had. She expressed frustration and worry about what the breach could mean for her, saying that she was trying to figure out what her data being breached meant for her. Another patient, who wished to remain anonymous, said that Manage My Health should have anticipated the high volume of traffic on its website and taken steps to prevent it from crashing.
Breach Details
Manage My Health has announced that it has appointed an honorary clinical advisor, Emeritus Professor Murray Tilyard, to help manage the breach. Tilyard has stated that the breach is significant, but varied from practice to practice. He explained that there are three categories of data that have been breached, including Northland hospital discharge summaries, patient-generated documents, and referral documents. Tilyard said that it is essential to understand the mix of data that has been breached to inform patients about what has been taken. He also emphasized the need to identify and support vulnerable patients, including those who are deceased, and their next of kin.
Cybersecurity Concerns
The breach has raised significant concerns about the cybersecurity measures in place at Manage My Health. Vimal Kumar, a senior lecturer at Waikato University’s Cyber Security Lab, said that it had taken too long for Manage My Health to contact affected patients and that the company’s cybersecurity posture is a concern. Kumar pointed out that Manage My Health’s DMARC system is not properly set up, which is a relatively easy configuration to implement. He said that this lack of attention to cybersecurity details raises questions about what other security measures may not be in place.
Next Steps
Manage My Health has stated that it is working to notify all affected patients and provide them with support and guidance. The company has also announced that it is taking steps to improve its cybersecurity measures and prevent similar breaches in the future. However, for many patients and GPs, the damage has already been done, and the breach has highlighted the need for more robust cybersecurity measures to protect sensitive medical data. As the situation continues to unfold, it is essential for Manage My Health to prioritize transparency, communication, and patient support to rebuild trust and confidence in its services.