The data of up to 126,000 New Zealand health patients has been held ransom by a hacker who allegedly breached popular patient portal Manage My Health (MMH).
The privately-operated service, used for health information management by numerous patients and general practices in New Zealand, confirmed on New Year’s Day it had been notified of a “security incident involving unauthorised access to its New Zealand application”.
The company found between six and seven per cent of its approximate 1.8 million users may have been affected by the incident – equating to between 108,000 and 126,000 users.
A sample of the leaked data reportedly included clinical notes, lab results, vaccination records, medical photographs and personal information such as names, emails and phone numbers.
The company said the incident was limited to the ‘My Health Documents’ section of the MMH app.
Chief executive Vino Ramayah described the breach as a simple “password accessed intrusion”, noting the attacker “came in through the front door using a valid user password”.
He said the company understood “how personal and sensitive health information is” and recognised the “stress an incident like this can cause”.
“Our team is working hard to identify those affected, and to communicate directly and transparently,” he said.
The company has notified the New Zealand Police and the country’s Office of the Privacy Commissioner.
If they don’t pay, I’ll sell it
Information Age understands the data leak first appeared on a prominent hacking forum under a post from a highly active user named ‘Kazu’.
Kazu stated precisely 428,337 files, totalling 108 gigabytes, had been “dumped” on the website on 30 December.
The hacker demanded a ransom of $60,000 by a deadline of 15 January.
“It will be available for purchase if they don’t pay the ransom,” wrote Kazu.
The hacker also provided an alleged sample which anyone with a public internet connection could access directly.
The hacker offers to sell more than 400,000 stolen documents. Source: RNZ
Information Age located Kazu’s forum account and a post matching the date and time of their alleged MMH leak, though all details had been inexplicably removed.
At the time of writing, the post appeared to have accrued more than 1,400 views.
Kazu did not respond when asked for more information about their alleged data theft.
Patients confused as MMH seeks injunction
MMH moved quickly to seek injunction orders from New Zealand’s high court to prevent third parties from “accessing any data posted” from the incident and require “anyone immediately delete and take down” links or publication of the affected dataset.
Further to tasking an “international team” with leak monitoring and takedown notices, the company reiterated any “unlawful use of private client information” would be subject to legal action.
Notably, cybersecurity injunctions have recently stirred controversy for serving as a double-edged sword: while they can restrict cybercriminals, experts warn they can also impede the work of cybersecurity professionals trying to keep victims protected and informed.
Though MMH has started to notify impacted practices this week, droves of New Zealanders have taken to social media to voice confusion on whether their information was impacted.
“I'm getting so anxious about this situation, my medical and mental health records are very personal to me and there are things in there that I'd rather my family not know,” wrote one user on Reddit.
New Zealand Health Minister, Simeon Brown. Photo: Supplied
On 5 January the company conceded it “could have done a better job at communication”, but maintained its priority was to “secure patient data and work on the accuracy of all information before providing it to practices and patients”.
Government to review breach after MMH ‘drops ball’
In an interview with RNZ, MMH chief executive Ramayah refused to comment on whether the company would pay a ransom, though he conceded the company “dropped the ball”.
“I take responsibility… I was the founder of this company,” he said.
“I'm not unprepared to step down if there's a better person who can do a better job than I did.”
On Monday, Health Minister Simeon Brown commissioned the Ministry of Health to review the response to the incident.
"The security of patient information is a matter I take very seriously as minister, and that’s why I asked officials for options in relation to this incident," Brown told Information Age.
“ManageMyHealth has welcomed the commissioning of the review and has said it will cooperate fully.
“It has noted that the findings and recommendations will be helpful to the whole sector.”
MMH said it has “fixed the security gap” that allowed the unauthorised access to occur and has made logins “more secure” with “extra checks” and a limit to the number of times users can attempt successive logins.
MMH has been approached for comment.
