The hackers, calling themselves 'Kazu', posted on Sunday morning that unless the company paid a ransom within 48 hours, they would leak more than 400,000 files in their possession. Photo / Supplied
The hackers, calling themselves 'Kazu', posted on Sunday morning that unless the company paid a ransom within 48 hours, they would leak more than 400,000 files in their possession. Photo / Supplied
By Kim Baker Wilson and Ruth Hill of RNZ
The deadline for a ransom demand in the massive Manage My Health data leak is up.
It is believed the deadline expired at 5.37am (NZT).
It comes as communication from the country’s largest patient portal is criticised by a former intelligence officer.
The deadline has arrived for the ransom being demanded after hundreds of thousands of medical files were stolen from the country’s largest patient portal.
Manage My Health is still grappling with the massive data breach affecting more than 120,000 of itsusers.
Health Minister Simeon Brown said the Government had a long-standing position that ransoms should not be paid.
“However, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients.”
It said it would be publishing daily updates with all the information it was able to share.
Brown, speaking after announcing an urgent review into the breach, said he had raised communication with the platform.
“I spoke to the CEO last week, made my expectations incredibly clear around the need for Manage My Health to be clear and transparent with its communications to the public and its users and to work closely with agencies and to make sure that they are following their advice,” he told RNZ.
Brown described the data disappearing as “pretty unacceptable”.
Health Minister Simeon Brown. Photo / RNZ, Mark Papalii
Luke Hogan, a senior technical manager who works at Intellium, said he could not see Manage My Health recovering.
“I don’t know how they’re going to come back from this, it’s a bit tough,” he said.
“For me, it’s really, really disappointing that basic cyber security has not been taken seriously.
“From my perspective, health data is right up there with financial data, some of the most critical data that needs to be protected.
“It’s just very, very disappointing and a little bit shocking as an IT professional to hear that this has happened”.
While Manage My Health would not be drawn on the ransom, a former intelligence officer said in general they should not be paid.
Antony Grasso had also worked at the Government Communications Headquarters (GCHQ), the United Kingdom’s intelligence, security and cyber agency.
He himself was a Manage My Health user.
“I personally would advise not to, even if it was my own data that was going to get released, which it may be,” he said.
“It’s a tough call without giving the full context but the general rule is not to pay the ransom, that’s the general rule.
“I mean, you’re bargaining with effectively criminals or thieves, and there’s no honour amongst thieves, we know that, and they may release it anyway and it also means we’re a soft touch.”
Grasso said he had not seen Manage My Health take many tangible actions after the breach.
“You know, just as a general bod on the street, I don’t feel like they will necessarily have had a good plan for the response.
“I haven’t seen a lot of transparency and I haven’t seen a lot of action that I would expect for a company that’s holding that much private information.”
Grasso hoped security companies used by the platform would be dumped and have nothing to do with it in the future.
“Because clearly, somebody’s dropped the ball.”
‘Rumours for some time’ - Deputy Privacy Commissioner
Deputy Privacy Commissioner Liz MacPherson told RNZ she believed issues had surfaced in the past.
“As I understand it there have been rumours for some time but the issue we’ve got is that there are white-knight hackers and others out there who do raise these issues, quite often it’s very difficult to know whether these people are actually hackers themselves or whether they are white knights, so it’s difficult to police,” she said.
A white knight is a hacker who acts with good intentions to get vulnerabilities fixed.
“So as I understand it, these issues have been drawn to Manage My Health in the past and I think to some media outlets as well,” MacPherson said.
Liz MacPherson. Photo / RNZ, Dom Thomas
She said the office was irked by widespread complacency around cyber security.
“The frustration for us at the Office of the Privacy Commissioner is that we continue to see complacency from, and this is across the board ... a continuation of the ‘it’ll happen to somebody else, not to me’ type approach.
“And you have to ask the question, is the lack of a penalty regime part of that?”
MacPherson said fines in Australia used to be around $3.3 million but had risen significantly.
“So the major breaches risk fines of up to greater than A$50m, which is three times the financial gain from the breach, or 30% of the company’s turnover.
“I guess what I’m saying to you is that we didn’t even have the lower level fines that they had, which were around $2-3 million,” she said.
“We don’t have any penalties, we do not have a civil penalty rating.”
What Manage My Health says
Manage My Health, in its latest update, said it wanted to reassure the public that its team had been working tirelessly through the holiday period.
“Secondly, we have been working as part of a cross-sector group to implement processes to begin communication with affected practices and patients,” it said.
“We acknowledge that this delay has been a cause for concern.”
The platform said it welcomed the review launched by the Health Minister and it would fully cooperate.
It said its international team was monitoring known data leak websites and was prepared to issue takedown notices immediately if any stolen information was posted.
It had also obtained a High Court injunction preventing third parties from accessing data posted as a result of the cyber attack.
The High Court in Wellington has confirmed to RNZ it received an application for an injunction.
