ManageMyHealth Data Breach: Thousands of Patient Records Compromised, Government Launches Review

A significant data breach at the trans-Tasman health portal ManageMyHealth has left thousands of patients concerned about the security of their sensitive health information. The incident, which occurred in late December, saw ransomware group Kazu exfiltrate approximately 108 gigabytes of patient data. The breach has prompted a government review into the company’s security measures and response.

• Approximately 111,000 to 129,500 patients (6-7% of 1.85 million users) may have been affected.
• Ransomware group Kazu claimed responsibility and demanded a $60,000 ransom.
• The breach reportedly occurred through "broken access controls" and a "valid user password."
• New Zealand’s Health Minister has commissioned a review into the incident.
• Patients and GPs expressed frustration over the delayed and insufficient communication.

ManageMyHealth, a portal used by numerous general practices across New Zealand, was alerted to the breach on December 30th. Ransomware group Kazu claimed to have accessed and exfiltrated a substantial amount of patient data, estimated to be around 108 gigabytes. This data includes patient records, hospital discharge summaries, and referrals from GPs to specialists, with some documents dating back to 2017-2019. Preliminary internal analysis suggests that between 6% and 7% of the portal’s 1.8 million registered users, equating to approximately 111,000 to 129,500 individuals, may have been impacted.

Many patients only learned of the breach through social media and news reports several days after the incident was detected, leading to widespread frustration and anxiety. GPs also expressed concern over the lack of timely and transparent communication from ManageMyHealth. Some patients reported difficulties in accessing information about what specific data was taken and how to secure their accounts. The incident has raised questions about the security protocols in place for digital health platforms and the trust patients place in them.

In response to the breach, New Zealand’s Minister of Health, Simeon Brown, announced a formal review into the incident. The review will assess the causes of the breach, evaluate the adequacy of ManageMyHealth’s data protection measures and incident response, and recommend improvements to prevent future occurrences. Health New Zealand is also working with the portal operators and primary care providers to understand the full impact on patients and practices. The government has emphasized the critical need for robust protection of sensitive health data, regardless of whether it is held by public or private entities.

ManageMyHealth has stated that the breach has been contained and its platform is now secure. The company has obtained a High Court injunction to prevent third parties from accessing or distributing the stolen data and is actively monitoring known data leak websites. While the company has apologized for the distress caused, the incident highlights the ongoing challenges in cybersecurity within the healthcare sector. The outcome of the government review is expected to inform future expectations for cybersecurity controls and incident management planning across data-intensive industries in New Zealand.

• Patients fret as ManageMyHealth data breach drama plays out, iTnews.
• Northland patients learn their records were stolen in Manage My Health data breach, NZ Herald.
• New Zealand GP patient portal reports cyber breach of health data, Insurance Business.
• ManageMyHealth front door left open for ransomware, Medical Republic.
• GPs worried by lack of information on ManageMyHealth data breach, RNZ.