ManageMyHealth informing GP clinics affected by cyber attack before contacting individuals later this week

ManageMyHealth is starting to contact general practitioners’ clinics whose patients’ information has been compromised by a cyber attack.

The company, which provides an online portal through which GPs can communicate with their patients, found out it was hacked on December 30.

It has identified the individuals whose personal health records have been compromised but is getting its ducks in a row, legally, before reaching out to them.

Late on Monday afternoon, ManageMyHealth said it had started contacting GP clinics affected by the data breach.

Sometime this week it would contact the 126,000-odd patients who could be victims of the attack.

ManageMyHealth couldn’t be clearer as to when people would find out if their data had been compromised, as it had to co-ordinate with Health New Zealand, General Practice New Zealand and GP practices to ensure patients received consistent information.

“For context, under the Privacy Act 2020 and the Health Information Privacy Code, the obligation to notify affected individuals sits with the agency that holds the information,” ManageMyHealth said.

“Where health documents originate from multiple sources, there may be multiple data controllers with independent notification obligations. This requires co-ordination to ensure we meet our legal obligations.”

ManageMyHealth said its staff “sincerely apologise for the pain and anxiety this incident has caused”.

“We acknowledge we could have done a better job at communication, however, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients.”

Its statement came hours after Health Minister Simeon Brown addressed media, saying he wanted the company to apologise and inform those affected by the breach as soon as possible.

Brown also directed the Ministry of Health to review the incident.

He said that under the Privacy Act, ManageMyHealth was responsible for keeping the data it held secure.

ManageMyHealth said it had been granted injunction orders by the High Court “preventing third parties from accessing any data posted as a result of the incident”.

“We have an international team monitoring known data leak websites and are prepared to issue takedown notices immediately if any information is posted,” it said.

“A cyber attack is criminal activity and any unlawful use of private client information will be subject to legal action and takedown orders.

“Any ransom demand is a matter for NZ Police and ManageMyHealth will not be making any comment in this regard as it is an ongoing investigation.”

Brown said the Government’s policy, generally speaking, was to not pay ransoms.

ManageMyHealth said an independent forensic investigation by specialist cyber security consultants was continuing.

It urged people to be cautious about emails or communications they received, as scammers could exploit the situation by pretending to be from ManageMyHealth.

“We will not ask for your password. We will not ask you to share one-time codes,” ManageMyHealth said.

“Be cautious of urgent messages or links you were not expecting. If you are unsure, do not click.”

Those worried about the situation can also see updates on ManageMyHealth’s website.

Jenée Tibshraeny is the Herald’s Wellington business editor, based in the parliamentary press gallery. She specialises in government and Reserve Bank policymaking, economics and banking.

• Stay ahead with the latest market moves, corporate updates, and economic insights by subscribing to our Business newsletter – your essential weekly round-up of all the business news you need.