Bulletin-130126.jpg

The Bulletinabout 8 hours ago

New health data breach increases scrutiny on private health IT

Contributing writer
Bulletin-130126.jpg
newsletter

As Canopy Health confirms a cyber intrusion months after it occurred, the fallout from the Manage My Health hack continues.

To receive The Bulletin in full each weekday, sign up here.

A second breach, and simmering anger

New Zealand’s health data anxieties intensified on Monday when Canopy Health confirmed it had been targeted in a cyber attack. The disclosure came on the heels of the far larger Manage My Health breach revealed on December 31, making it the second report of a health data incident in as many weeks. Canopy Health is the country’s largest private medical oncology provider, running diagnostic and oncology clinics, private breast surgical centres and a drug compounding business.

The company says it identified unauthorised access to part of its administrative systems in July last year and that the incident was contained after a forensic review. Some patient data may have been copied. What has fuelled public anger is not just the breach itself but the delay in notification. Patients say they were informed only after the Manage My Health hack dominated headlines. One woman told RNZ that “six months is an outrageous amount of time to keep the breach secret.”

What we know about the Manage My Health breach

The Manage My Health (MMH) incident dwarfs Canopy’s in scale. About 127,000 patients are believed to have had data accessed, including roughly 430,000 documents uploaded to the portal’s “health documents” section. Around 70% of the affected patients are in Northland, where Health NZ uses MMH to communicate directly with patients.

The hacker, who goes by the name Kazu, told the NZ Herald’s David Fisher (paywalled) the attack was financially motivated and that they had demanded a ransom of US$60,000 ($103,500) from the firm. The deadline expired on Friday, but Manage My Health has not said whether it has made contact with the hacker or paid the ransom. It has obtained High Court injunctions aimed at limiting the spread of stolen material.

Security basics under the microscope

Writing in the Weekend Post (paywalled), Nikki Macdonald highlights a core failing experts say would likely have stopped the MMH intrusion: the absence of mandatory multi-factor authentication. Security specialists argue that requiring a second verification step dramatically reduces the risk of automated password-guessing attacks.

There is nuance, however. Digital Health Association chief executive Stella Ward notes that for some patients – particularly the elderly or those with disabilities – extra login steps can be a barrier to use. Even so, a post-breach analysis by security consultant Adam Burns found multiple gaps in security measures beyond the initial point of entry. “None of this is exotic,” he told the Herald. “These are baseline controls.” Speaking to the Front Page podcast, Burns warned the incident could attract copycat attempts: “With this news breaking, I would say we’ll be even more of a target now.”

What is Manage My Health?

As Macdonald reports, Manage My Health was spun out of Medtech, a practice management system developed in the late 1980s that went on to be used by the majority of NZ GPs. Medtech launched Manage My Health in 2008 to give patients online access to prescriptions, results and messages. Over time, uptake accelerated, helped by government funding in the mid-2010s to boost patient portal use. Today, it is the most-used of a number of health portal services which GPs utilise to share information with their patients.

In the wake of the breach, some users have expressed dismay that, contrary to their assumption, MMH and its competitors are not government-run. But digital standards consultant Callum McMenamin argues that private ownership does not necessarily carry more risk. The problem, he says, is enforcement. Private companies are only more risky “if the government does not enforce proper standards upon [them]…You don’t have to be a government agency to have high levels of security.”

Whatever the relative level of safety, the breach comes at a tricky time for the government’s digital-first strategy. It has just launched its “one-stop shop” app, govt.nz, and is promising that app-based options like digital driver licenses are on their way. As Kelly Dennett notes in the Sunday Star-Times (paywalled), “it may be minded to pay attention if it wants these initiatives to succeed amongst a newly tech-wary public”.

Our intelligence isn't artificial. Neither is yours.
Anna Rawhiti-Connell

93% of you trust information from The Spinoff. That makes us enormously proud. It also means we keep working hard to maintain it. The trust we've earned is why The Spinoff does not and will not publish work that has used generative AI. The words you read on The Spinoff are written by humans, edited by humans and, as Spinoff members show us every day, supported by humans.

Various estimates suggest up to half of all internet traffic is now AI bots. AI slop is everywhere. Trust isn't built through algorithms or automated at scale, it's earned. That's what we're protecting when we make decisions about AI, but we need your help. AI and big tech companies represent an existential threat. Not just to us, and to journalism, but to creativity and human understanding. Please help keep The Spinoff independent, local and, most of all, incredibly human by becoming a Spinoff member today.

Our future depends on funding from readers