A massive data breach has left 86,000 New Zealanders' private health records exposed, and the impact is devastating. But here's the shocking part: this wasn't a simple hack, it was a targeted ransomware attack on the Manage My Health portal, a platform used by thousands of patients to access their medical information.
The attack, carried out by the ransomware group Kazu, resulted in the theft of hundreds of thousands of sensitive medical files, including hospital discharge summaries, clinical letters, and referral notifications, dating back to 2017. The group demanded a hefty ransom of US$60,000 (NZD$105,000) for the return of the data.
But here's where it gets controversial: the breach affected a staggering 70 percent of all affected patients in New Zealand, yet the response has been far from adequate. Court documents revealed that 45 GP practices in Northland were impacted, but patients faced significant barriers in accessing information about their compromised data. Website crashes and overloaded helplines left many in the dark, with the 0800 support line repeatedly disconnecting callers.
Manage My Health has notified only half of the affected patients, citing technical difficulties and the complexity of handling different patient cohorts. This slow response has drawn criticism from experts, with the College of GPs labeling it as 'shambolic'. Cyber security expert Vimal Kumar highlighted basic security failures, such as misconfigured DMARC protocols, which could have prevented the attack.
The breach exposed three critical categories of data: hospital discharge summaries, patient-uploaded documents, and referral documents. And this is the part most people miss: deceased patients were also among those affected, raising concerns about the handling of sensitive information.
Manage My Health appointed Emeritus Professor Murray Tilyard as a clinical advisor to help identify vulnerable patients and contact their next of kin. However, the company's response has been questioned, especially regarding the nine-day delay in notifications. The ransomware group's deadline has passed, and Manage My Health remains tight-lipped about whether they will pay the ransom or negotiate with the hackers.
Patients are understandably frustrated, receiving contradictory notifications and struggling to implement security measures due to system overload. Privacy concerns are at an all-time high, as the breach potentially exposed abuse histories, mental health records, and chronic condition details to criminals. This incident raises serious questions about the security of private companies holding sensitive health data and the need for stronger cybersecurity measures in the healthcare sector.
Health NZ, while claiming their systems remain secure, acknowledged the gravity of the situation. They emphasized the importance of patient data protection, even when breaches occur on third-party platforms. This incident serves as a stark reminder of the escalating ransomware threats targeting healthcare providers globally, with patient portals becoming lucrative targets for extortion.
What are your thoughts on this alarming breach? Should private companies be held to higher security standards when handling sensitive health data? How can we ensure patient portals are better protected against such attacks?
