Cyberattack on Manage My Health Affects 127,000 Patients

A cyberattack on the Manage My Health platform on New Year’s Eve has left significant implications for patients across the Wairarapa region. The breach has potentially impacted around 127,000 patients, with concerns about the security of sensitive health data.

Former users of Manage My Health, which was previously utilized by Wairarapa Medical at two of its three South Wairarapa practices, have been advised to close their accounts. Following the migration to MyIndici, patients received emails detailing the process for account closure. Instructions indicated that patients should sign in, navigate to “My Account,” and select “Close Account.” The email assured users that “your information is removed when you close your account.”

Reports from other former users indicated they were prompted to change their passwords when attempting to access the site earlier this week. Alec Birch, a patient at Masterton Medical—which ceased using Manage My Health last year—expressed uncertainty regarding the breach’s impact on his legacy account. He stated, “I don’t know if we have been impacted [by the breach],” adding that the incident has diminished his trust in such platforms.

Masterton Medical was approached for comment regarding patient communication but had not responded by the time of publication. In light of the breach, Dr Buzz Burrell, chairperson of General Practitioners Aotearoa, highlighted a broader issue of trust within the medical community. He remarked that patient portals like Manage My Health were initially embraced as valuable tools, stating, “We trusted a system … in hindsight, that was artificial trust.”

Burrell attributed the breach to a lack of government oversight in primary care, claiming that the management and viability of general practice have been left to individual GP ownership. This has resulted in a fragmented and vulnerable healthcare system. Following the breach, Burrell sent a letter to the Privacy Commissioner, raising concerns about potential “vicarious liability” for general practitioners and the financial implications of civil cases that might arise from the breach.

Cybersecurity expert Adam Burns from Blackveil advised individuals affected by the breach to remain vigilant. He suggested that users who have closed their accounts should consider making a written request to ensure their data is deleted. Burns noted ongoing vulnerabilities on the Manage My Health site, including issues related to weak encryption keys and missing security headers.

The Minister of Health, Simeon Brown, acknowledged the seriousness of the breach, stating, “Patient data must be protected to the highest of standards.” He confirmed that individuals can close their accounts and that Manage My Health has committed to deleting all information within 90 days. Brown has requested a review from the Ministry of Health regarding the breach and the platform’s response.

In response to the breach, Manage My Health announced it would start notifying affected patients via email within 24 hours, aiming to complete notifications by early next week. The company has also secured interim injunction orders from the High Court to prevent third parties from accessing any stolen data.

The total number of documents compromised in the breach stands at approximately 430,000, underscoring the scale of the incident and its potential ramifications for patient privacy. The unfolding situation has raised significant concerns about the security measures in place for digital health platforms and the trust patients place in these systems.