Northlanders are demanding to know which of the region’s 45 GP practices were impacted by the ransomware attack on medical portal Manage My Health.
About 430,000 patient documents, some dating back to 2017, were stolen in the cyber attack detected on December 31 in which a US$60,000 ($103,709) ransom was demanded.
Court documents revealed the data breach included information from 45 GP practices based in Northland.
Stolen information also involved 355 “referral-originating” medical practices across several regions.
The information taken included clinical discharge summaries, referrals and related files, and information uploaded to the system by patients.
Some of the information covered historical clinical referral records dating from between 2017 and 2019.
Manage My Health has not publicly stated which GPs have been impacted, leaving Northlanders reaching out to the Northern Advocate for answers.
The Northern Advocate is contacting the region’s general practices to find out which ones were affected.
Manage My Health has said it is unable to provide all details immediately “because accuracy matters”.
“Our priority is to confirm what happened, protect data, and provide affected people with information that is correct.”
Manage My Health was still in the process of identifying affected users.
The Privacy Commissioner has stressed Manage My Health is responsible for notifying impacted users directly and supporting them through the process.
“If your information was involved, we will contact you directly with confirmation and next steps.”
Paihia Medical Services owner and practice manager Rene Wilson said over half of the clinic’s 5100 patients are registered with Manage My Health.
“We have been advised by Manage My Health that we have patients affected and they are still trying to figure out who and how many.”
Wilson said determining who and what had been compromised was a big job.
“It’s a waiting game for us right now.”
Kensington Health practice manager Darren Rowbotham said the situation was “a mess”.
He suspected his practice had been impacted but could not say how many patients were affected because of a lack of communication from Manage My Health.
Rowbotham said he had received no official information about the number of patients, nor how they would be contacted, what information would be disclosed and what support would be offered.
While Manage My Health had created a data breach report within the portal, he said, the numbers of affected patients kept changing and did not know which – if any – were correct.
Rowbotham said clinics had been advised not to proactively contact patients as the breach was being treated as a Manage My Health privacy issue.
Kensington Health had switched to a new patient system, Vensa, but still had access to its historical Manage My Health portal.
Rowbotham said historical data remains on the site unless patients cancel their accounts themselves.
He described health data as deeply personal, saying the breach could be particularly distressing for vulnerable patients or those with sensitive information.
He hoped appropriate support would be provided, noting that while some people may not care, others could be seriously affected.
Ngāti Hine Health Trust chief executive Tamati Shepherd–Wipiiti said the trust’s clinics in Moerewa, Whangārei, Kāeo and Kawakawa “were all good”.
Though the clinics don’t use the portal, the three patients who registered with Manage My Health were notified.
“We were proactive,” Shepherd–Wipiiti said. “We went through individual patients whose information had been breached, and risk assessed how much harm the release of information had.”
Shepherd–Wipiiti said the people whose files were impacted were “quite vulnerable”.
“We rang them and walked them through it.
“We asked them if they wanted to come in to the practice and we would show them the information on file that was breached.”
A Whangārei medical centre manager confirmed her clinic was affected but did not want the practice named, believing patients could be unnecessarily alarmed when there was still so much uncertainty.
She said the clinic had not yet been given clear information about the impact on its patients and was seeking clarity from Manage My Health about what data had been affected.
Hauora Hokianga Health practice manager Sophie Titore said the general-practice service wasn’t with Manage My Health.
Northland’s largest primary health organisation, Mahitahi Hauora, was following the nationally led response to the cyber breach.
Mahitahi Hauora chief executive Jensen Webber said that was to ensure consistency across the motu.
“Our member general practices, who have been impacted, have been contacted, and are following the co-ordinated response.”
Webber said Mahitahi Hauora will not be making any further comments at this time.
Many of the practices contacted did not want to comment or did not have the appropriate person available to speak about the breach.
Manage My Health was granted a High Court injunction on Tuesday night preventing anyone from accessing or sharing the stolen data.
By this morning, all posts referring to the Manage My Health hack had been removed from an account purporting to be used by the hacker Kazu.
Anyone in possession of the information was required to delete it.
The injunction is enforceable within New Zealand but much of the murky world of the dark web lies outside New Zealand and its courts’ jurisdiction.
The person identifying as the hacker Kazu says a negotiator is working with the company to get a ransom paid before a deadline originally set at January 15, but which has since shifted.
“Don’t worry, this will be over soon, and everyone will be satisfied,” Kazu told the Herald through the Telegram messaging app.
Health Minister Simeon Brown has ordered an urgent review into the breach, which happened just before the turn of the new year.