Manage My Health. Photo / RNZ, Finn Blackwell
By Ruth Hill of RNZ
IT experts allege Manage My Health ignored warnings about vulnerabilities in its cyber security for years – but the regulatory vacuum meant the company was not required to take action.
About 127,000 New Zealanders have had their information stolen in the ransomware attack after hackers were apparently able to obtain a password giving them access to part of its database containing more than 430,000 documents.
University of Auckland cyber security expert Dr Abhinav Chopra said he discovered the holes in Manage My Health’s system two years ago when he was trying to find out why it was still holding on to his health records after his GP moved to a new provider.
In an email to his GP, Manage My Health and eventually the Privacy Commission, he listed all the problems, including the lack of multi-factor authentication and the fact that multiple administrators had access to unencrypted files.
“This is the same pattern. They should have invested. They’ve had two years and these are the exact same areas that have caused them the issue.”
The company did not respond to him, he said.
Manage My Health has said it is required to hold on to patients’ data – even if their GP switches provider – unless patients deregister themselves.
However, Chopra believes Manage My Health could have another reason for holding on to patient records.
Its own website proudly notes its database of “1.8 million Kiwis” and its ability to get its customers’ message to them “when they’re thinking about their health”.
“If this company did not have any commercial gains to make out of this data, then they would not be paying the extra storage costs for this data,” Chopra said.
A Wellington IT worker caught up in the Manage My Health data breach – whom RNZ has agreed not to name – also questioned the lack of regulatory checks and balances.
“Health services that have this information and these functions should be subject to the same scrutiny and compliance requirements and auditing as financial institutions.
“If your banking app is down, it’s a huge deal and it gets lots of scrutiny.”
However, Manage My Health’s users could not say they were not warned, she said.
“The irony is that I actually read their terms and conditions, and they haven’t breached them because their entire terms of usage is they can’t guarantee their system is any good or that they’ll fix it, even if it’s foreseeable and they know about it.
“It’s essentially, ‘We can’t guarantee our product doesn’t suck, but here, give it a go’.”
Digital specialist Callum McMenamin (who also alerted Manage My Health to its security vulnerabilities six months ago) said the 300-page Health Information Security Framework contained many good things – but entirely relied on “hand-wavy” self-regulation.
“It’s all just a high-trust system where the Government sets the standards but then closes its eyes and doesn’t check if the standards are actually being met.”
According to political analyst Bryce Edwards from The Democracy Project, the lack of regulatory oversight was “not an accident”.
The Digital Health Association – the industry body for health software vendors – had lobbied against what it called “overly burdensome privacy laws and regulation”, he said.
“They have time and time again asked government to keep the rules on privacy quite weak and relaxed so the companies that deal with data are not subject to too much of what they call ‘red tape’ or essentially costs on them.”
Successive governments had ignored warnings from three Privacy Commissioners over the last 15 years of the need for stronger penalties, like in Australia, where errant companies faced multimillion-dollar fines, Edwards said.
The Digital Health Association pushed for the repeal of the Therapeutic Product Act, which would’ve regulated software as a medical device with surveillance and penalties for non-compliance, he continued.
“If you don’t have these rules, if you don’t have penalties for companies not looking after data, it means they can often be quite lax. They don’t have good systems because they don’t have those incentives.”
Digital Health Association chief executive Stella Ward said the organisation did not oppose the Therapeutic Products Act (TPA).
“Across all our submissions and briefings, we repeatedly advocated for better regulation – not less.
“Our concern was that the bill, as drafted, lacked clarity and risked creating broad, impractical definitions that would not achieve best‑practice oversight.”
The association supported “the intent” of the bill: ensuring modern, fit-for-purpose regulation that keeps New Zealanders safe, she said.
Current privacy penalties were low by international standards – but international experience showed “stronger penalties alone do not prevent incidents” and continuous investment was required.
“What matters most is having a clear, consistent regulatory framework that supports safe, efficient delivery of digital health services while protecting patients’ rights.”
Health NZ said it was Manage My Health’s responsibility to ensure the data it was contracted to manage was “safe”.
The Health Information Security Framework (HISF) – published by Health NZ – was intended to “guide” the health sector in the secure use and management of health and information technology.
“Health NZ expects health sector providers to have safeguards in place to protect health information, including assessing the security of their IT service providers, aligned to the recommendations of the HISF.”
However, a spokesperson indicated oversight could be introduced in future.
“As Health NZ progresses implementation of measures to increase the accessibility and security of health information, we are considering what further assurance of third-party providers against regulations and standards is required.
“This may include independent testing of third-party services such as patient portals.”