Online patient portal Manage My Health was targeted in a major ransomware attack on December 30.
Hackers hit Manage My Health over the holidays.

Societyabout 10 hours ago

Everything you need to know about the Manage My Health hack attack

Contributing writer
Online patient portal Manage My Health was targeted in a major ransomware attack on December 30.
Hackers hit Manage My Health over the holidays.

Missed the news about the massive data breach that’s affected hundreds of thousands of New Zealanders? Here’s a rundown.

While much of New Zealand was enjoying the holiday, hackers carried out a cyber attack on local tech company Manage My Health. The company confirmed the breach in a January 1 statement and more details soon followed, with news outlets and industry experts shedding some light on the developing story. What we know now is that hundreds of thousands of people are affected, the Privacy Commissioner is involved, the hacker’s alleged demands have been made public, the government has called for a review into the response, and experts warn of considerable risk to affected users. Here’s what you need to know.

OK, what did I miss?

A major ransomware incident! The target was Manage My Health, a private company that runs an online portal used by private healthcare providers for sharing information with patients. It counts 1.8 million users. 

While primary care providers like GPs can access some government funding for enrolled patients, they are private businesses. This means they can set their own fees and choose which software they use. Many, but not all, enlist Manage My Health: it’s the most-used patient portal in New Zealand.

An estimated 430,000 patient files were stolen in the breach, which Manage My Health became aware of on December 30. Hackers had accessed a single “health documents” module containing user-uploaded files, specialist referral letters and “some” hospital discharge summaries, all of which were downloaded in the theft. 

Woah, why would someone do that?

For money, duh. The hackers demanded a ransom of US$60,000 (around NZ$104,000) and threatened to release the files if it wasn’t paid. A deadline was set for Tuesday, January 6, then extended to Friday, January 9. 

It’s understood that a hacker called “Kazu” is behind the attack. Someone claiming to be them spoke to the Herald via Telegram, explaining that they target healthcare companies and set ransoms at affordable levels – which they alleged most targeted companies end up paying – before outlining at length the rationale and methodology behind their hacks. Past targets reportedly include companies and governments around the world.

As of January 13 it wasn’t clear whether the ransom deadline had been extended again, nor whether Manage My Health was willing to pay it. “This incident is subject to a police investigation. MMH is unable to provide any comment relating to the hacker, or any ransom demand. Police advice is that third parties should not engage directly with criminal hacker groups, including in this situation,” the company said in a statement on Friday. “The New Zealand government recommends not paying a ransom. Payment does not guarantee that you will get your data back.”

News headlines revealing the hacker behind the Manage My Health cyber attack.
Hackers are reportedly holding private patient files to ransom (Headlines: The Post, RNZ, the Herald)

So how did it happen?

Through the “front door”, apparently. The hackers used a “valid user password” to gain access, possibly obtained via automated login attempts.

Shit. Who’s affected?

All up, 125,000 users and 355 “referral-originating GP practices” have been caught up in the breach. Manage My Health is responsible for notifying them all.

On January 8 it began alerting people caught up in the hack. Not everyone was contacted immediately, with the company instead taking a phased approach, which caused some frustration and concern among users. There were reports of people contacting their GPs directly in the wake of the breach to find out whether they were affected, while others claimed the Manage My Health website crashed when visited.

Northland has been disproportionately affected in the breach, with data from 45 primary care practices and 80,000 patients accessed. The region is the only one in the country where Health NZ, the government’s public healthcare provider, uses Manage My Health to share information with patients, according to RNZ.

How’s Manage My Health been handling it?

Chief executive Vino Ramayah admitted the company “dropped the ball” and has apologised “for the pain and disruption that this incident has caused to our providers and patients as a result of this criminal activity against our systems”.

It first flagged the breach with GPs on December 3. The Office of the Privacy Commissioner – an independent Crown entity that works to ensure compliance with the Privacy Act and assist victims – was alerted on January 1 at 3.30am.  Manage My Health also notified the police, Health NZ and “other organisations”, engaged independent cyber security specialists, is monitoring data leak websites and has prepared takedown notices.

Half of affected users had been notified via email by last Friday and an 0800 helpline was set up by Manage My Health to provide support.

It also filed an urgent injunction against “unknown defendants” with the High Court, aimed at preventing third parties accessing any leaked data. Justice Andru Isac ruled that there was “no doubt that sensitive patient information has been unlawfully obtained” with the purpose of extorting payment. “Those responsible have sought to make plain the seriousness of their threat by publishing a small sample of the stolen data.”

What should I do?

If your GP uses the Manage My Health portal and if you haven’t done so already, log in to Manage My Health to see if you’re affected. Even if you’re in the clear, changing your password and turning on two-factor authentication is recommended. You can also contact your healthcare provider if you’re really concerned (but be mindful of the extra workload the whole situation has created for GPs). The Privacy Commissioner advises people experiencing “actual or potential” privacy harm to make a complaint with Manage My Health and CC in your GP. If you believe your information is being used for fraud, criminal activity or for identity theft then you need to contact the police.

What’s the response been?

Not stoked. GPs are stressed, patients are frustrated and freaked out. Some were surprised to learn that Manage My Health and other patient portals weren’t government run.

Industry representatives and ministers are disappointed with how the situation has been handled. The College of GPs called Manage My Health’s response to the breach “shambolic, frustrating and slow”. Health minister Simeon Brown told The Post the company had been “acting too slowly” and questioned its communication with users. (Manage My Health admitted that it “could have done a better job at communication”.)

There has been criticism of Manage My Health’s security practices. It’s up to the user to enable optional two-factor authentication, which is considered the “gold standard” for online safety. “Multi-factor authentication really needs to be mandatory across all accounts for it to be properly effective,” digital specialist Callum McMenamin told RNZ. (He also pointed out that it was mandatory on the KFC app.)

Many experts have stressed how serious the situation is. The scale of the incident is “dire” and, according to digital investigator Keith Ng, the worst data breach Aotearoa has seen in a decade. 

Headlines covering the many reactions to the Manage My Health cyberattack
The breach has highlighted the importance of data security and raised questions around accountability and action. (Headlines: Stuff, RNZ, the Herald, government press release)

What next?

The Ministry of Health has been tasked with a review of the response to the breach, which Brown described as a “wake-up call”. That’s due to start before the end of the month. Manage My Health said it welcomed the review and planned to “cooperate fully”, while chief executive Ramayah told RNZ he was “not unprepared to step down”.

As far as the ransom goes, Manage My Health has made it clear it won’t comment further on the matter, due to the ongoing police investigation. But if it’s not paid, the hackers could potentially sell the files to buyers – likely on the dark web – to extract the value they didn’t get from the company. 

More Reading

    Other than the ransom money, what else is at stake?

    A lot, actually. Personal details obtained from a breach like names, birth dates and phone numbers could be used for cyber thefts like accessing bank accounts. Health records can contain highly sensitive information. “Scammers can use knowledge of the patients to pose as their doctors. Mentally or physically vulnerable individuals can be targeted for crimes,” wrote Keith Ng in the Herald. He also noted that the High Court injunction would do little to mitigate harm.

    Records of sexual assault, family violence and stigmatised conditions could be used for blackmail, intimidation or accessed by abusive partners. Victim advocates have said knowledge of the hack could cause trauma for users even if their files weren’t accessed.

    The fact that a data breach of this magnitude happened could result in the “newly tech-wary” public having reduced trust in online services and the healthcare system. With digital systems and services playing a growing role within the healthcare industry, cyber security and data privacy is increasingly important. Some experts suggest there should be government-enforced data security standards.

    Our intelligence isn't artificial. Neither is yours.
    Anna Rawhiti-Connell

    93% of you trust information from The Spinoff. That makes us enormously proud. It also means we keep working hard to maintain it. The trust we've earned is why The Spinoff does not and will not publish work that has used generative AI. The words you read on The Spinoff are written by humans, edited by humans and, as Spinoff members show us every day, supported by humans.

    Various estimates suggest up to half of all internet traffic is now AI bots. AI slop is everywhere. Trust isn't built through algorithms or automated at scale, it's earned. That's what we're protecting when we make decisions about AI, but we need your help. AI and big tech companies represent an existential threat. Not just to us, and to journalism, but to creativity and human understanding. Please help keep The Spinoff independent, local and, most of all, incredibly human by becoming a Spinoff member today.

    Our future depends on funding from readers

    Society