Frustration is mounting over ManageMyHealth’s lack of communication with those whose personal health information has been implicated by a massive data breach.
ManageMyHealth, an online portal connecting GP clinics with their patients, found out it was hacked a week ago and the health documents of about 126,000 people had been affected.
Since Monday, ManageMyHealth has disclosed the names of some of those whose information has been accessed to a number of GP clinics – but it hasn’t said how many. The remainder are yet to be contacted.
Once it has been in touch with all clinics, it will take responsibility for notifying affected individuals, who haven’t received any direct communication from ManageMyHealth to date.
ManageMyHealth recommended GP practices review the lists of names and compromised information they were given and advise it of “any concerns about any vulnerable patients” so it could provide appropriate support.
The company clarified that information in the “My Health Documents” part of its portal was compromised. Information regarding appointments and prescriptions was unaffected.
On Monday, it said it expected to start contacting individuals affected by the breach this week.
However, on Tuesday afternoon, the Herald heard from an individual who said her GP clinic informed her she was affected by the cyber attack.
WellSouth Primary Health Network chief executive Andrew Swanson-Dobbs told the Herald he had “less than 0%” confidence in ManageMyHealth.
He criticised it for taking as long as it has to inform those affected by the breach.
When he spoke to the Herald on Tuesday afternoon, WellSouth still hadn’t been told which clinics in its network were affected.
Swanson-Dobbs said primary health organisations were well-placed to help co-ordinate a response from practices.
He noted some clinics were now in an awkward position, as they had been told who was affected by the breach but had to wait for ManageMyHealth – the party that dropped the ball in terms of its security – to contact patients.
“Our practices are asking, ‘What do we say to patients?’,” he said.
“The guidance from ManageMyHealth is not clear on what to do. Instead of a thousand practices all doing something different, there needs to be a concerted effort on what the response is. At the moment, there isn’t that leadership.”
Asked if he believed Health New Zealand Te Whatu Ora should be taking more of a leadership role, Swanson-Dobbs said yes, stressing the need for the public to have confidence in using portals such as ManageMyHealth.
“We’ve now lost public trust in the use of portals because of a private company’s inability to invest in security,” he said.
ManageMyHealth said it would set up an 0800 helpline people could contact for advice.
In the meantime, it told users, “it is best practice to regularly update your password”.
It urged people to be cautious about emails or communications they received, as scammers could exploit the situation by pretending to be from ManageMyHealth.
“We will not ask for your password. We will not ask you to share one-time codes,” ManageMyHealth said.
“Be cautious of urgent messages or links you were not expecting. If you are unsure, do not click.”
ManageMyHealth is a portal that works in conjunction with one of the two main operating systems GP clinics use – Medtech.
It has offices in New Zealand, Australia and India, and is owned by Cereus Health, whose sole shareholder is Auckland-based businessman, Vino Ramayah.
Ramayah has a long history working in medical technology. He spent two decades at the helm of Medtech Global until it was sold in 2020 and Cereus Health took control of ManageMyHealth.
Ramayah is one of two directors of ManageMyHealth and one of three directors of Cereus Health. Another director of Cereus Health shares his address.
The Herald has asked ManageMyHealth and Health NZ to explain what oversight there is of the company, including whether it is routinely audited by the latter.
As for the fact ManageMyHealth’s management is accountable to a small board, Institute of Directors chief executive Kirsten Patterson said this was typical of many New Zealand companies.
She wasn’t well placed to comment on ManageMyHealth, but said, generally speaking, as organisations grew in size or took on more complex or risky work it was useful for them to have larger boards.
Patterson said it was common for organisations with formal governance structures to have five to seven directors.
Health Minister Simeon Brown has directed the Ministry of Health to investigate the circumstances around the ManageMyHealth data breach.
Jenée Tibshraeny is the Herald’s Wellington business editor, based in the parliamentary press gallery. She specialises in government and Reserve Bank policymaking, economics and banking.