More than 400,000 files were stolen from the Manage My Health platform, affecting 15,000 patients. Photo / RNZ, Finn Blackwell
By RNZ
Sexual violence and family harm victims will be living in terror that their private details could be among a cache of hacked medical information, an advocate says.
More than 400,000 files have been stolen from the Manage My Health platform.
It was a shocking data breach of highly sensitive information involving about 15,000 patients’ records, independent advocate Claire Buckley said.
“The problem with that is that anybody who has used that system will now be vulnerable and potentially re-traumatised and potentially unnecessarily re-traumatised because their data may not be part of the hack. And so that’s the harm that’s being caused – it’s not just to the people that have been hacked and whose data is vulnerable. It’s also to anyone who uses that system whose data may not have been hacked, but they are living [with] the terror that it could have been.
“And I mean terror. People who have been through these kind of horrific traumas are not people who are feeling secure at the best of times. And so something like this, where their personal data could get out there is something that is more terrifying than to your average person who may have their medical records out there. There’s a really big difference between, oh, ‘did you know that this person was on statins?’ versus, ‘this person had an horrendous sexual assault, and they have permanent damage in this way’, which would all be documented within those doctor’s notes.”
Buckley said abusive ex-partners could find their family’s addresses, or other criminals could track down their victims.
“This kind of information may be able to lead their partners to find them, so that will be terrifying for them. And then anyone who’s had any kind of severe trauma in the family relating to a homicide, for example, all of that’s documented in their health records. Often they need counselling. And so all of those things are now going to be, you know, on the dark web, accessible to people who have the nefarious means to access that.
“And it’s just so re-traumatising to anyone who’s been through any kind of severe trauma, particularly one that may be ongoing in terms of a case that may still be pending and in terms of someone who is still trying to keep away from an abusive spouse.”
A ransom deadline had been set for Tuesday and victims would have that at the front of their minds.
“Everyone who has been through that kind of trauma, whether it be family harm or sexual assault will be saying ‘pay the ransom - it is completely worth it to protect my privacy’. And that’s the problem. A lot of companies do pay it specifically to try and avoid the harm that can be caused.
“The problem, of course, is that the bad guys who are doing the hacking know that companies are willing to pay now because of the level of harm that they are causing. And so it becomes this kind of vicious cycle. If we pay them, then they know they can be paid. Therefore, they will keep trying to get into these systems and take the data for ransom again.”
A worrying possibility would be that it could make people think twice about what they tell their doctor.
“And that would be the worst part of the situation, would be people who are in desperate need not wanting their information to be stored on the system. Because you can imagine if you have been the victim of a sexual assault and it is quite graphic in nature, you are not going to want your doctor to be documenting that in a system that is not considered reliable enough to ensure that your personal security and privacy is protected.”
Manage My Health said late on Monday that the ransom demand was a matter for police, and it would not be making any comment about a ransom while an investigation was ongoing.
The platform apologised for pain and anxiety caused to health providers and patients, and acknowledged it could have communicated better.
“However, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients.”
It said it will publish daily updates with all the information it can share.
Health Minister Simeon Brown has announced an urgent review into the breach.