Health Minister Simeon Brown has commissioned a review by the Ministry of Health into the response to a cyber security breach into patient information on ManageMyHealth.
Hackers have threatened to release 400,000 stolen documents from patient files if ManageMyHealth doesn’t pay by Tuesday.
Brown told a media conference that ManageMyHealth was seeking an injunction on patient data being used publicly, but that was being managed by the company.
Other work was also being done to minimise any damage, he said.
“We are taking this very seriously and doing everything we can.”
“People who hold data are responsible for that,” he said. “It is the agency that holds that data that has responsibility.”
He said it would also be up to ManageMyHealth to notify those affected, but health data was among the most personal information and needed to be protected to a higher standard.
“We need to do better,” he said.
“I think what’s happened here is unacceptable and we need to make sure we get to the bottom of this. “
He said those who were behind the attack were criminals, and the government’s approach and advice was that people not pay.
“They are trying to extortion money by using people’s personal information … we see that around the world, unfortunately this time it’s been here in New Zealand.”
He said the important thing right now for the government was to be supporting the company to curb the risk and effects of the attack.
In an earlier statement, Brown said patient data is incredibly personal and whether it is held by a public agency or a private company, it must be protected to the highest of standards.
“I have decided to commission the Ministry of Health to lead a review of the ManageMyHealth and Health New Zealand’s response.”
The minister has written to the Director-General of Health asking that the review will commence by the end of the month.
The purpose of the review was laid out in Brown’s letter, and included:
to assess the cause of the incident
to review the adequacy of data protections in place, and the response to the incident
to recommend any improvements required to prevent similar incidents in future
The letter set out that the review should begin as soon as possible, but noted it was “important that the review does not distract from the immediate response to the incident”.
Brown said Health NZ had been advised there was no impact on its systems, and it was working with GPs to find out how patients may be affected.
The confirmation of a review came five days after ManageMyHealth claimed on New Year’s Eve a cybersecurity breach involving unauthorised access to its systems had been “contained”.
The company, which hosts New Zealand’s largest patient information portal, the next day said up to 7 percent of its roughly 1.8 million registered users may have been impacted – about 126,000 people.
The hackers on Sunday threatened to leak more than 400,000 files unless the company paid them $60,000.
They had accessed the medical documents section of the ManageMyHealth app, and samples of documents for potential “buyers” included clinical notes, lab results, passport details and photos of people’s bodies.
Brown said a team had been meeting daily to co-ordinate advice and support across government agencies and he had been receiving daily updates since 1 January.
“I know this breach will be very concerning to the many New Zealanders who use ManageMyHealth, and we need assurances around the protection and security of people’s health data,” Brown said.
“We must learn from this incident, to avoid any repeat events in the future.”
He had earlier told RNZ it was a “deeply serious situation” and a “big wake-up call”.
It was unknown where the hackers, calling themselves Kazu, were operating from, he said.
Meanwhile, ManageMyHealth has identified all patients who have had their health records stolen – but cannot yet say when they will all be told.
A spokesperson for ManageMyHealth said it hoped to have an update later in the week once all the communications with GPs and affected patients had been co-ordinated with the Ministry of Health, Health NZ, Privacy Commissioner and GPNZ.
“We are not waiting to determine who is affected – we know.”
The company was working to provide “a timeframe for communications” by Tuesday.
Because the health documents originated from multiple sources, there were many different agencies with obligations under the Privacy Act and the Health Information Privacy Code to notify affected individuals.
“This requires co-ordination to ensure we meet our legal obligations and do not create confusion for patients by having different organisations contact them separately about the same incident.”
The spokesperson said it would “not be appropriate to comment” on specific technical matters while the review was ongoing.
“What we can confirm is that we became aware of this incident on 30 December when we were notified by a partner, and we notified the relevant authorities that same day. The specific vulnerability that allowed unauthorised access has been identified, patched, and independently verified by external cybersecurity specialists.”