Key Takeaways
- The Manage My Health privacy breach is one of the biggest in New Zealand’s history, with hackers gaining access to health data and demanding US$60,000 for the stolen information.
- A cybersecurity group, the International Online Crime Coordination Centre (IOC3), has identified the person responsible for the breach and is working with authorities to bring them to justice.
- The IOC3 is encouraging victims of ransomware attacks not to pay the hackers, as it does not guarantee that the data will not be leaked.
- The National Cyber Security Centre is working with police and other agencies to reduce the impact of the breach and prevent further exploitation of the leaked data.
Introduction to the Breach
The Manage My Health privacy breach is a significant incident that has compromised the personal health data of numerous individuals in New Zealand. The breach occurred when hackers gained access to the patient records company’s portal, resulting in the theft of sensitive information. The hackers, who go by the name "Kazu," demanded a ransom of US$60,000 in exchange for the stolen data. Manage My Health has since been granted a High Court injunction to prevent anyone from accessing or sharing the stolen information.
Investigation and Identification of the Hacker
The International Online Crime Coordination Centre (IOC3) has been tracking Kazu and has shared its investigation with RNZ. The group has identified the person believed to be behind the hacking, but has chosen not to release their name or any details that could jeopardize further investigation. IOC3 executive director Caden Scott stated that the group needs to be careful in its investigation, as they do not want to drive the person underground and prevent them from being brought to justice. Scott emphasized that the group wants to see the person behind the attack arrested and held accountable for their actions.
Ransomware Attacks and the Importance of Not Paying the Ransom
Scott encouraged victims of ransomware attacks not to pay the hackers, as it does not guarantee that the data will not be leaked. He explained that paying the ransom can actually encourage hackers to demand more money, and that it is better to work with law enforcement to resolve the situation. This approach can help to prevent further exploitation of the leaked data and ensure that those responsible are held accountable. The IOC3’s stance on not paying the ransom is in line with the advice of many cybersecurity experts, who warn that paying the ransom can create a perverse incentive for hackers to continue carrying out these types of attacks.
Collaboration with Authorities and the National Cyber Security Centre
The National Cyber Security Centre’s chief operating officer, Mike Jagusch, stated that the centre is aware of the information in the public domain identifying those who have claimed responsibility for the attack on Manage My Health. The centre is working with police, Health New Zealand, and other agencies to reduce the impact of the breach and prevent further exploitation of the leaked data. Jagusch explained that the process of attributing cyber activity to a group or state is complex and requires significant analysis. Public attribution of cyber activity is a whole-of-government process that is undertaken when it is in the national interest to do so.
Conclusion and Next Steps
The Manage My Health privacy breach is a significant incident that highlights the importance of cybersecurity and the need for individuals and organizations to take steps to protect themselves from these types of attacks. The IOC3’s investigation and identification of the hacker responsible for the breach is a positive step towards bringing those responsible to justice. As the investigation continues, it is essential that individuals and organizations remain vigilant and take steps to protect themselves from ransomware attacks. This includes not paying the ransom and working with law enforcement to resolve the situation. By taking these steps, we can help to prevent further exploitation of leaked data and ensure that those responsible are held accountable for their actions.
