Health Minister Simeon Brown expects ManageMyHealth to notify those affected by a cyber security breach as soon as possible.
Personal health information of about 126,000 New Zealanders could be compromised by a late-December cyber attack on ManageMyHealth – a portal some general practices use to communicate with their patients.
Brown said Health NZ was working with ManageMyHealth, which is a private operator, on a “rapid notification” plan to let those affected by the breach know what information of theirs might be in the public domain.
He said ManageMyHealth had also applied to the courts for an injunction to try to prevent people from republishing any information released by the attackers.
While Brown didn’t know who the attackers were, he said they were “criminals” exploiting people’s personal information for their financial gain.
The attackers have asked ManageMyHealth to pay a ransom.
Brown said the Government’s position was generally not to pay, noting there was no guarantee the attackers would keep their word and delete the information when they were paid.
Earlier on Monday, Brown announced he had asked the Ministry of Health to start a review of the incident before the end of the month.
He said the review should assess the cause of the breach, review the adequacy of the data protections that were in place and consider the response to the incident. It should also recommend any improvements required to prevent another breach.
Brown said that under the Privacy Act, ManageMyHealth was responsible for keeping the data it held secure.
“I know this breach will be very concerning to the many New Zealanders who use ManageMyHealth and we need assurances around the protection and security of people’s health data,” he said.
“Patient data is incredibly personal and, whether it is held by a public agency or a private company, it must be protected to the highest of standards.”
Brown said while the review should start as soon as possible, it was important the focus continued to be on the immediate response.
This ransom post screenshot in relation to the ManageMyHealth data breach is from a popular hacking forum.
An “incident management team” has been meeting daily to co-ordinate advice and support across government agencies.
“In the meantime, I expect the ministry to develop terms of reference, in consultation with the Government Chief Digital Officer and the National Cyber Security Centre, and a timeline for the review process,” Brown said.
Health NZ has advised there has been no impact on its systems.
It is working with primary care providers through General Practice New Zealand to clarify the potential impact on patients and general practices. General practices remain open and providing services.
Jenée Tibshraeny is the Herald’s Wellington business editor, based in the parliamentary press gallery. She specialises in government and Reserve Bank policymaking, economics and banking.
