Hack Exposes Health Data of 127,000 New Zealanders: What Happened?

A significant data breach involving the patient management portal Manage My Health has compromised the personal health information of approximately 127,000 New Zealanders. This breach has raised serious concerns about the security of sensitive medical data held by private companies in the healthcare sector.

The incident has revealed that information such as clinical discharge summaries, referrals, and historical records—totalling around 430,000 documents—may have been accessed unlawfully. Patients are understandably alarmed to learn that their health data is stored by a private company rather than a public institution, further complicating concerns about data security.

Manage My Health: A Brief Overview

Founded in 1989 by engineer Robin Churchman, Manage My Health is part of a broader evolution in New Zealand’s healthcare technology landscape. The company initially started as Health Technology Ltd, which introduced the first Practice Management System (PMS) called Medtech16. Over time, the software gained traction, with approximately three-quarters of general practitioners (GPs) opting to use it for managing patient care.

In 2000, Vinogopal Ramayah, a lawyer and businessman, became a director and later the chief executive. Under his leadership, the company expanded internationally, establishing a presence in the United States, United Kingdom, Australia, Ireland, and India. The introduction of patient portals, such as Manage My Health in 2008, aimed to enable patients to access their health records more conveniently.

Despite initial reluctance from some GPs and patients, government backing in 2014 helped boost subscriptions significantly, positioning Manage My Health as a leading provider in New Zealand. By now, it claims to be “trusted by over 1.85 million Kiwis,” although the recent hack has put that trust into question.

The Breach: How It Happened

The breach has been attributed to a hacker gaining access through a legitimate user password, suggesting that the attack involved repeated login attempts rather than a simple password leak. Digital standards consultant Callum McMenamin pointed out that the lack of multi-factor authentication (MFA) on the portal contributed to this vulnerability. MFA typically requires users to provide a second form of verification, significantly enhancing security.

McMenamin criticized the oversight of health data management, arguing that while Health New Zealand publishes extensive security standards, they do not mandate specific security measures like MFA. “Security is really complicated and very situational,” he noted, advocating for a standard that would require MFA for health systems.

While some industry experts, including Stella Ward, CEO of the Digital Health Association, agree that MFA is essential, they also acknowledge that implementing such security measures can pose challenges for certain patients, particularly the elderly or those with disabilities. Balancing security and accessibility remains a critical concern.

The legal implications of managing sensitive health data are significant. According to privacy barrister Kathryn Dalziel, the Health Information Privacy Code mandates that health providers take reasonable steps to prevent unauthorized access to patient information. Questions arise regarding whether Manage My Health adhered to these legal requirements and what repercussions may follow for the company in light of the breach.

The Ministry of Health conducted a one-off security review of key health portals in 2018, but it has not assumed ongoing auditing responsibilities. This lack of continuous oversight places the burden of security compliance on health providers, many of whom may lack the expertise to evaluate the safety of digital products independently.

Public vs. Private: The Security Debate

Amid discussions about the management of health data, a debate has emerged regarding the comparative security of private versus public systems. Alex Kemp, CEO of Health Informatics NZ, emphasized the importance of private companies in developing health technology. She argued that, contrary to popular belief, patient data is not necessarily less secure in private hands than in public systems.

Both McMenamin and Kemp expressed concerns about the current state of health data security in New Zealand. McMenamin stated he would not feel comfortable using any patient portal in the country, given the existing vulnerabilities. Conversely, Kemp, while remaining a user of Manage My Health, believes in the potential of technology to improve healthcare outcomes, asserting that the benefits often outweigh the risks.

As the health sector continues adapting to digital tools, experts stress the importance of constant reviewing and updating of data protection measures. Bryan Betty, chairperson of GPNZ, remarked that the breach serves as a wake-up call for health services to enhance their data protection protocols. He cautioned against abandoning technologies that streamline healthcare, urging stakeholders to learn from the incident to improve future practices.

The fallout from the Manage My Health breach has prompted urgent discussions about the responsibilities of private companies in safeguarding health data, the adequacy of existing regulations, and the need for better training for healthcare providers in cybersecurity. As the sector evolves, ensuring robust protections for sensitive patient information will be crucial for maintaining public trust.