Photo: 123RF
People whose GPs no longer use Manage My Health may still have had their historical data hacked.
Hackers are threatening to release 400,000 files from 120,000 patients, if the health portal does not pay a US$60,000 (NZ$103,000) ransom.
Manage My Health has begun telling general practices whether their patients have been affected, and it is working on telling individual patients via a Privacy Act notification.
Manage My Health said it will begin notifying patients in the next 24 hours and hopes to complete this process by early next week.
In a statement Wednesday evening, it said notifications will be sent initially through email to the address that was used to register the account.
A number of people have told RNZ their GP had previously switched from Manage My Health to another platform, but they can still log in to Manage My Health and see their information there.
Manage My Health chief executive Vino Ramayah confirmed the company holds on to records unless a patient cancels their account.
It was up to patients to cancel their account, not their GP, he said.
Manage My Health chief executive Vino Ramayah.
Photo: SCREENSHOT / RNZ
“When… a practice leaves Manage My Health, the patients have a choice to continue to use Manage My Health or they can close the application, in which case we will delete the data,” he said.
“It’s essentially patient data – we need their consent because we’ll be wiping out a lot of their historical data, so that is why it is stored.”
People can use the platform privately – they do not need to use it through their GP, he said.
Ramayah said people should have “a level of personal diligence” with their Manage My Health accounts. Users should change their passwords regularly, and use two-factor authentication, he said.
“I would encourage everyone to consider security as a very key part of your thinking, especially when you put sensitive information in an application, irrespective of whether it’s Manage My Health or… any other healthcare app.”
One patient believed Manage My Health had an interest in holding on to accounts to “inflate” the number of users it had.
Photo: RNZ / Finn Blackwell
Patient ‘horrified’ to learn Manage My Health still holds her data
A patient whose GP stopped using Manage My Health in 2020 said she was “horrified” to log in to the system on Sunday and see her intimate information still there.
The woman, who RNZ agreed not to name, said she felt a sense of betrayal.
She believed her GP was “slack, but not malicious”, and questioned why they did not advise her that she needed to manually close her Manage My Health account following the switch of providers.
“I would have been happy to do that… if only you’d told us.”
RNZ has seen the email her clinic sent in May 2020 advising patients it was moving to a new portal.
“As of Friday May 29th, 2020, 4pm Manage My Health will no longer work,” it said.
“Your laboratory tests results… will be transferred to the new patient portal and you will be able to access them as you do in Manage My Health now.”
She assumed that meant her Manage My Health account would be closed, and the records it held deleted.
The woman believed Manage My Health had an interest in holding on to accounts to “inflate” the number of users it had.
How long should medical records be kept for?
The privacy commissioner’s website said health agencies should not keep medical information for any longer than they have a lawful purpose for using it.
“The Health (Retention of Health Information) Regulations 1996 say that health agencies must keep any health records they hold for a patient for 10 years from the last time they provided services to that patient.
“However, this requirement doesn’t apply if the health agency has transferred the files to a new healthcare provider or if they have given the complete file to the patient (or, if the patient has died, to the patient’s executor).”
Informing affected patients, GPs
Manage My Health said on Tuesday it was beginning to tell GPs whether their patients were caught up in the breach.
It said affected GPs could log in to a portal to see which patients had their data stolen and what records were taken.
It would also inform practices that no longer use Manage My Health, and it was working on notifying affected patients.
“The Privacy Act requires individuals to be notified when their information has been accessed in an unauthorised way,” it said.
“[Manage My Health] is taking on this responsibility on behalf of the practices, to which the information is being provided so that practices can provide support after individuals have been notified.
“Privacy Act notifications will go to practices through Manage My Health, together with details of how more information and support can be accessed.”
Manage My Health would also establish an 0800 helpline for impacted patients, it said.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.