User Frustration Grows After Manage My Health Data Breach

New Zealand’s Manage My Health portal, which facilitates communication between general practitioners and patients, is facing significant backlash following a data breach that occurred on December 30, 2023. The incident saw the personal information of approximately 125,000 individuals compromised, stirring concerns about user data security and privacy.

One affected user, Nick Jackson from Christchurch, expressed his frustration after discovering that his account was still active despite his health centre transitioning to a different system three years prior. Upon logging in, Jackson found old medical records, including lab test results and prescriptions, still accessible on the platform. This revelation prompted him to attempt to delete his account and personal data, a process he described as anything but straightforward.

Challenges in Account Deletion and Data Privacy

Jackson shared with The Post the email correspondence he had with Manage My Health over the course of a week. Initially, he inquired whether his data had been compromised and why it remained on the platform. In his communications, he requested that all data associated with his account be deleted.

“Please delete all data you hold on me,” he wrote.

In response, the company provided guidance on how to close his account but also suggested that keeping the account active would allow him to receive notifications if his data was ever compromised again. Jackson reiterated his request for data deletion, expressing his growing distrust in the platform’s ability to safeguard his information.

Five days later, he received confirmation that he had not been hacked but was instructed to delete his account himself. Jackson pointed out that closing the account does not guarantee immediate deletion of data, as he had learned that the company’s privacy policy states data is retained for up to 90 days after account closure. “They may get breached again in that timeframe,” he noted.

Regulatory Oversight and Data Retention Policies

According to the Privacy Commissioner, agencies like Manage My Health are required to dispose of personal information promptly when there is no longer a legitimate reason for retention. The Health Information Privacy Code stipulates that data should not be stored longer than necessary. Conversely, regulations dictate that health records must be maintained for a minimum of ten years unless patients transfer to a new healthcare provider.

In light of the breach, the Privacy Commissioner stated that any request for data deletion must be addressed within 20 working days, although this period can be extended. Jackson’s experience has raised questions about the effectiveness of data security measures and the clarity of information provided to users regarding their rights.

In response to the data breach and growing concerns, Manage My Health announced the appointment of Russell Craig to its advisory board. Craig, who served as Microsoft New Zealand’s National Technology and Security Officer from 2014 to 2023, brings extensive experience in digital strategy and risk management, particularly within the healthcare sector. He joins Professor Murray Tilyard ONZM, who serves as an honorary clinical adviser, and Ross Tanner, who advises on governance and privacy matters.

As the fallout from the breach continues, users like Jackson remain vigilant, questioning the security of their personal information and the effectiveness of the measures being put in place to prevent future incidents. The situation underscores the critical need for robust data protection practices in an increasingly digital healthcare landscape.