Photo: jeffbergen/Getty Images
A widely used patient portal in New Zealand reported a cyber breach two days before the New Year, affecting up to 126,000 people.
On New Year's Day, private company Manage My Health disclosed that it had been notified of unauthorised access to its patient portal application on 30 December.
In an update two days later, it said that an independent forensic analysis found one module within the app, Health Documents, was compromised while the rest of its system was "secure and operating as intended."
"Manage My Health is commencing legal action to protect our clients' data," it said.
WHY IT MATTERS
The company noted that between 6%-7% of approximately 1.8 million registered users might have been affected by the breach. It already has a complete list of these people and is expected to start notifying them following confirmation of the forensic team and liaison with primary health organisations and general practices. "The forensic team is continuing work to confirm our analysis of the specific documents involved."
"[W]e will start informing people directly from early next week," it said. An online helpdesk and dedicated support number are being set up and expected to go live by early next week as well.
In its update on 3 January, Manage My Health also shared that it has identified and closed specific gaps that enabled the hack, with testing and verification by external cybersecurity experts. It added extra login checks and limited the number of times users can access the system in a short time.
"All health documents have been re-secured, and their storage has been strengthened."
THE LARGER CONTEXT
This latest IT breach followed the hacking incident at Te Whatu Ora Central Region in October 2024, where sensitive staff information, medical assessments and health-related correspondence were illegally accessed. There was no evidence of an online leak, however.
In 2022, one of Te Whatu Ora's IT service providers reported a cyberattack, which affected about 14,000 data relating to bereavement and cardiac services. In September that year, the Pinnacle Midlands Health Network also reported a data breach and leak.
The latest hack at Manage My Health had "no impact on Health NZ systems," Jason Power, acting national director of Planning, Funding, and Outcomes at Te Whatu Ora Health New Zealand, confirmed in a statement. Te Whatu Ora's incident management team has also been dispatched.
Te Whatu Ora Health and General Practice New Zealand have both been engaged to coordinate the cyber hack response, while the Office of the Privacy Commissioner and the New Zealand Police have been notified of the breach.
"We are working with relevant agencies, including the National Cyber Security Centre and the Police Cyber Crime Unit, to ensure the situation is being managed appropriately," added Power.
The Ministry of Health on Monday said it has commissioned a review of the Manage My Health IT breach and response.
"Patient data is incredibly personal, and whether it is held by a public agency or a private company, it must be protected to the highest of standards," said Health Minister Simeon Brown.
