Yesterday, ManageMyHealth CEO Vino Ramayah confirmed a cybersecurity incident had been identified on Wednesday involving “unauthorised access” to the platform.
He said the incident had been contained and was under investigation.
But he could not give any in-depth information about the situation, which was criticised by GPs.
“We are working closely with the relevant authorities and independent cybersecurity specialists, and we will provide updates through formal statements as further information is confirmed,” Ramayah said initially.
This afternoon, he provided the Herald with further details on the breach.
“Since we were alerted, our team has been working very hard to ensure that the application is secure,” he said.
ManageMyHealth has “begun analysis to identify users affected” by a cyber breach this week. Photo / Supplied
“We believe the incident has been contained and we have engaged independent international forensic consultants to further verify the solution we have put in place and determine the extent of the data that is affected.
“Based on our investigations to date, we believe between 6 and 7% of the approximately 1.8 million registered users may have been affected by this incident.”
That equates to between 108,000 and 126,000 users.
Ramayah said ManageMyHealth had “begun analysis to identify users affected”.
“As you can appreciate, this is a complex exercise, and we expect to start notifying those affected within the next 48 hours.”
He said the Privacy Commissioner had been notified and was working with ManageMyHealth to meet its obligations under privacy legislation.
The police and Ministry of Health had also been notified, and Ramayah said he was “engaging” with the “agencies and other organisations” to co-ordinate a response.
“We recognise that any incident involving health information can cause anxiety and distress,” he said.
“People rightly place a high level of trust in systems that hold their health data, and we understand the concern this situation may create for patients, providers and partners.
“We want to thank users and the sector for their patience while a complex investigation continues.”
The matter has been reported to the police, Privacy Commissioner, Ministry of Heath and other agencies.
Health Minister Simeon Brown called the breach “concerning,” and Health New Zealand (HNZ) was working closely with ManageMyHealth to ensure it was being appropriately addressed.
“At this stage, there is no evidence any HNZ systems, including My Health Account, have been compromised as ManageMyHealth has separate systems,” he said.
“ManageMyHealth and government agencies are working closely together to fully understand the scope of the breach and to protect the privacy of patients.
“HNZ is coordinating with agencies, including the National Cyber Security Centre, to ensure all the right steps are being taken.”
“I have been advised that there is no clinical impact on patient care as a result of this cyber incident, and health services continue to operate as normal,” Brown said.
“I expect ManageMyHealth will continue to keep the public informed as more verified information becomes available and will put appropriate measures in place to ensure patient safety and privacy are protected and given the highest priority.
Ramayah said to support patients and providers, ManageMyHealth would provide a detailed FAQ to “help resolve their questions where possible”.
“To ensure your online security, we strongly recommend you read the guidelines provided by the Own Your Online website.”
He said ManageMyHealth took its obligations to data security seriously.
“We understand how personal and sensitive health information is, and we recognise the stress an incident like this can cause,” he said.
“Our team is working hard to identify those affected, and to communicate directly and transparently.
“Manage My Health will provide a further update at 3pm tomorrow [January 2].”
Earlier today, GPs criticised the lack of information.
College of GPs president Dr Luke Bradford told RNZ he only learned about the potential breach through the media.
“It’s terribly disappointing. They’re an absolutely key tool that we use for patients. It allows patients to access their records and better manage their health, literally,” he said.
“But if their data’s not safe, then their very personal information is not safe, and that’s really concerning.”
It was “terrible timing”, with most practices closed for four days, he said.
“We’re going into this period without any formal communication about what’s involved in the breach and what can be done about it.”
General Practice NZ chairman Dr Bryan Betty agreed the situation was worrying.
“Health data in terms of patients is incredibly important and any breach like this has to be taken extremely seriously and has to be actioned as a matter of urgency,” he said.
“There should be obviously free and open transparency about the situation and what’s actually happened, both for patients and practices that use the ManageMyHealth portal.
“So I would expect that to be part of their management of the present situation.”
Anna Leask is a senior journalist who covers national crime and justice. She joined the Herald in 2008 and has worked as a journalist for 20 years with a particular focus on family and gender-based violence, child abuse, sexual violence, homicides, mental health and youth crime. She writes, hosts and produces the award-winning podcast A Moment In Crime, released monthly on nzherald.co.nz
