Northland patients learn their records were stolen in Manage My Health data breach

Northlanders are starting to receive email notifications from Manage My Health, informing them their documents have been stolen. Photo / Michael Craig

Northland patients are fuming to discover they are among the 125,000 people whose documents were stolen in a cyber attack.

About 430,000 documents, some dating back to 2017, were stolen in the attack on the privately owned medical portal Manage My Health.

The breach occurred in the “My Health Documents” section of the portal’s website.

The hacker claiming to be behind the crime is demanding a US$60,000 ($103,709) ransom.

Northlanders had been nervously waiting to learn whether they were impacted after it was revealed the data taken originates mainly from the Northland.

Court documents showed 45 GP practices in the region were included in the data breach.

Whangārei resident Ian Sweeney received an email from Manage My Health yesterday saying his personal details had been hacked.

The email advised him to change his password and enable multi-factor authentication.

“That was it,” Sweeney said.

“I’m not happy about it. It’s a data breach, and no one likes that.”

Sweeney said the breach should never have happened because Manage My Health was dealing with sensitive information that needed to be protected at all times.

He was surprised people had not begun talking about a class action lawsuit against Manage My Health.

“There should be some form of compensation,” Sweeney said.

“We’ve trusted them with personal information and they’ve failed miserably.”

Another patient in Whangārei to discover that five of her clinical and discharge letters were taken by cyber criminals on December 29 – two days before the breach was detected – called the aftermath a “s***show”.

For patients affected by the breach, a new section called Account Security Status has been added to their Manage My Health portal. The section lists what documents were taken and when.

“I’m yet to figure out what information is actually in those files, as logging in was a nightmare; trying to access the records taken is a nightmare,” the patient said.

Her documents stored on the portal have gone missing. Other patients have reported the same.

Patients in Dargaville and Raumanga reported receiving notifications too.

Ngāti Hine Health Trust chief executive Tamati Shepherd–Wipiiti said on Wednesday that only three of the trust’s clinics, in Moerewa, Whangārei, Kāeo and Kawakawa, were affected.

But he said today that many more of their patients had had their data breached.

“It’s in the hundreds so far.”

Ngāti Hine Health Trust chief Tamati Shepherd–Wipiit says hundreds of the trust's patients have been affected by the data breach.

Five hundred patients are registered with Manage My Health, Shepherd–Wipiiti said.

While the trust’s clinics don’t use the portal day-to-day, they must access it when looking up patient records for those registered with it.

“The trust has brought in extra staff to help support patients or whanāu that are worried.”

Shepherd–Wipiiti said security was important, in particular when it relates to patient information.

“We have been proactive with caring for our patients that have been breached and are thankful that none of our core systems, including our core G system, was compromised.”

Some Northland GPs reported being told how many of their patients had been impacted, but not who. Other clinics had to wait to find out if they were affected at all.

GPs were advised that Manage My Health would directly contact patients whose documents had been stolen.

The Privacy Commissioner stressed the company was responsible for notifying impacted users directly and supporting them through the process.

As of Friday night, more than half of the patients impacted had been sent notifications from Manage My Health.

The remaining patients were expected to have been notified by early next week.

Manage My Health explained the impact on Northland by saying it provides a service for the region’s patients to receive hospital discharge summaries through the portal.

“This solution was a benefit to Northlanders who did not have to wait in hospital to receive paper records and was of particular benefit to Northlanders who are not enrolled with a GP.

“This arrangement was not in place in other regions.”

The company has continued to apologise for the “pain and anxiety” caused.

Manage My Health says the current system is secure and operating as intended.