Online patient portal Manage My Health was targeted in a major ransomware attack on December 30.
The first reports into the Manage My Health hack have been released.

The Bulletinabout 11 hours ago

Damning health data breach reports released

Bulletin editor
Online patient portal Manage My Health was targeted in a major ransomware attack on December 30.
The first reports into the Manage My Health hack have been released.
newsletter

Three reports on the Manage My Health cyber security breach were released today… so what happened exactly, asks Henry Oliver in today’s excerpt from The Bulletin.

To receive The Bulletin in full each weekday, sign up here.

Mismanage my health data

Late last year, Manage My Health (MMH), a locally owned and operated online portal used by healthcare providers to share information with patients, was hacked and held to ransom. The health records of nearly 100,000 patients were stolen by a hacker group called Kazu, who published samples of the stolen data online, threatening to release everything they had unless they were paid US$60,000 ($105,000).

Three reports released today – commissioned by Health NZ, Ministry of Health and the Office of the Privacy Commissioner – combine to paint a damning picture of a lack of security, a lack of independent checks, and an over-reliance on the company’s own assurances.

The findings

As reported by Karina Cooper in the NZ Herald, phase one of the commissioner’s inquiry focuses on cause and accountability, and found significant failures on both sides. Several of MMH’s technical security safeguards were inadequate at the time of the attack, including lacking systems to detect when unusually large amounts of data were being accessed, which could have interrupted the hackers and mitigated the breach. Questions were also raised about the overall security design and risk management practices.

For Health NZ, the Herald reports, the failures were more human than digital. The project team that engaged MMH did not include any privacy or security specialists, and it failed to conduct independent checks, instead relying on assurances from MMH, leaving decision makers insufficiently informed of the risks involved.

A wake-up call

For Stuff, Ripu Bhatia reports that the inquiry’s findings have implications well beyond MMH. Privacy Commissioner Michael Webster used the opportunity to call for structural reform, recommending the Ministry of Health establish a central verification process to ensure health portals meet security standards,rather than leaving individual GP practices to assess them. He also recommended amending the Privacy Act to hold third-party providers liable when they fail to meet security standards when in processing data on behalf of another agency – a change that would go some way to close the accountability gap exposed by the breach.

According to RNZ, the Deloitte report for Health NZ found that digital security across the health sector was “inconsistent and insufficient” with information made vulnerable by an over-reliance on third-party arrangements. A CyberCX report for the Ministry of Health found MMH was unprepared for an incident of this nature and scale and was likely not aligned with ‘Health Information Security requirements’ prior to the breach. The ministry has accepted all recommendations from its own independent review, with work underway on independent security checks for all suppliers, more stringent data handling standards and a wider review of digital health systems.

The response

Health NZ chief financial officer Bevan McKenzie accepted the commissioner’s findings, saying patients had been let down and that was unacceptable. Health NZ has since halted the flow of information from the Northland district to the portal and apologised to patients who discovered their health information had been stored there without their knowledge. Manage My Health, in a release quoted by multiple outlets, said the attack was a deliberate criminal act using compromised credentials, and that it was not aware of any stolen data being publicly released beyond the initial sample. It has since introduced mandatory multi-factor authentication, enhanced real-time monitoring, strengthened access controls, and expanded independent security testing.

A second phase of the commissioner’s inquiry is expected to begin soon, investigating the broader impacts of the breach — including data retention policies, notification compliance, and whether the breach caused a disproportionate impact on Northland Māori. Spoiler alert: it did.