Criticism of Manage My Health cyber attack response mounts as another deadline passes

Source: Radio New Zealand

• New ransom deadline arrives
• Deceased patients among those to have data breached
• Manage My Health response labelled “shambolic, frustrating and slow”
• Patient told she is caught up in breach after being earlier told she wasn’t

A new ransom deadline is thought to have arrived as criticism mounts of Manage My Health’s response to its hacking and massive data breach.

In an interview with RNZ this week, the country’s largest patient portal believed the new deadline was 5am on Friday.

It would not be drawn on whether it was prepared to pay.

The College of GPs said Manage My Health’s reaction to the cyber attack had been shambolic, frustrating and slow.

“Patients are really frustrated, GPs are frustrated, there’s mixed amounts of information coming out,” president Luke Bradford said.

“Some practices are being told the number of patients they have affected but not which patients, my practice for instance was told we had 59 patients but not the patients’ names, some practices are being given the patients’ names, Manage My Health has said they’re going to contact patients but that hasn’t happened particularly quickly yet.”

He said his own practice stopped using Manage My Health several years ago and it had no idea records were still being stored after that relationship ended.

Manage My Health needed to up its game and give step-by-step instructions to not only affected patients and practices but everyone it still had records for, he said.

Angus Chambers from the General Practice Owners Association was also unimpressed with how long it was taking to Manage My Health to contact patients.

Those who had not yet been told their data had been breached had been left wondering whether it had, he said.

Manage My Health’s latest update said “direct notifications to the first 50 percent of patients affected” had commenced.

It did not answer a request from RNZ to clarify that statement.

Notifications were being sent by email to addresses affected patients used to register their account.

An Auckland patient, Barbara, told RNZ she was disturbed after Manage My Health told her that her data had been breached after telling her two days earlier it had not.

“I got an e-mail saying that my details hadn’t been impacted by the hacking, and that was fine, I thought ‘oh well, good’,” she said.

“And then I got another email to say well actually, yes I have unfortunately.”

Barbara said she was directed to go online to immediately change her password.

“I got part way through and then there was a notification saying the website was down, I presume everybody who’s just been notified was trying to change their password immediately and it was overloaded,” she said.

Barbara was now left trying to figure out what her data being breached meant for her, she said.

“I can see for some people that have come forward, like the people who have suffered from abuse and things like that, you definitely don’t want that information out there.

“But what else is there? And that’s what’s worrying me.”

Another patient who RNZ has agreed to not name said Manage My Health should have known that lots of anxious patients would flood its website.

“They are reporting problems with the platform on the platform that is having problems,” she said.

Disability advocate Blake Forbes, meanwhile, said it was unacceptable that many people were still in the dark over a week after the cyber attack.

“For me it’s causing, from a personal perspective, and I know a lot of friends are like this as well, it’s causing me a lot of anxiety, their GPs don’t even know what’s going on.”

Dead patients among those with records breached

Manage My Health announced it had appointed an honorary clinical advisor in the wake of the breach, Emeritus Professor Murray Tilyard.

He told RNZ the breach was significant, but varied from practice to practice.

“So I’m aware of a clinical network who have over 100,000 enrolled patients, and 99.6 percent of those patients’ records have not been breached,” he said.

“Now, that doesn’t mean that other practice networks or practices don’t have a much higher proportion.”

Tilyard expanded on what he said were three categories within the breach relating to three years of data between 2017 and 2019.

The first was Northland hospital discharge summaries, he said.

“So these only affect patients who were resident in that Northland area in those years, 2017 to 2019. We now know that many of them have shifted.”

The second category was material uploaded by patients themselves.

“It could be, for instance, I’ve notified via the portal that I’ve changed my address. It could be that I’ve actually uplifted my home blood pressure recording, or my weight.

“So these are patient-generated documents.”

The third was referral documents.

“So I’m interested, once I’m briefed, to understand the mix of those,” he said.

“Because that’s actually important to be able to tell the patients whose data has been breached what has actually been taken because some data, I would suggest both you and I would feel is more sensitive than other data.”

Tilyard said he did not underestimate how patients would be feeling.

“I mean, I go back to when I was very young and living at home in Wellington and we came back from holiday to find that people had broken the house and lived there for a week. My mother was devastated, she wanted to leave,” he said.

“The house was tainted, her privacy was tainted.”

Tilyard said his role would also include helping practices identify patients who were potentially vulnerable and may need more support.

He said the breaches did not just affect patients.

“I’m aware that some of the patients who start have been breached are deceased, so my strong view is that the practices must identify, obviously, those who are deceased.”

He said next of kin must be identified and contacted because they themselves may be vulnerable.

“In New Zealand there are 1022 individual general practices, so we’re mobilising.”

Tilyard said he knew Manage My Health chief executive Vino Ramayah and offered his help.

Manage My Health response ‘unacceptable’, site still has flaws

Vimal Kumar, a senior lecturer at Waikato University’s Cyber Security Lab, said it had taken too long for Manage My Health to contact affected patients.

He described the security breach as “a pretty major one”.

“The company was made aware of this on 30th of December and they are reaching out to their users, people who have been affected now,” he said.

“It’s shocking, and people are worried about the safety of their data and their own well-being.

“And then to have to wait for nine days to get any information from the organisation is shocking, to be honest.”

Kumar said other aspects of Manage My Health gave an indication of its security.

“There’s something called DMARC (Domain-based Message Authentication, Reporting, and Conformance) which has not been set up properly.”

He said this was something that was easy to configure.

“Now, this particular hack is not related to DMARC, but that sort of gives you an idea of the cybersecurity posture of the organisation.

“If the DMARC which is fairly easy to set up has not been set up, then what other things were not being done properly?”

The key facts according to Manage My Health

The cyber incident was limited to 6-7 percent of 1.8 million registered users, within the “My Health Documents” module only.

The data relates to a range of medical practices, including:

• Approximately 45 Northland-based GP practices;
• Clinical discharge summaries and historical clinical referral records in the Northland region (data that is between six and eight years old)
• Approximately 355 “referral-originating” GP practices across a number of New Zealand regions
• Personal health information uploaded by patients

Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.

– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand