Source: Radio New Zealand
Manage My Health insists it encrypted health data in its database and user passwords. RNZ / Finn Blackwell
An information technology expert warns the Manage My Health data breach may make victims vulnerable to bank account theft.
About 125,000 Manage My Health users have been affected by a massive data breach, with hackers stealing hundreds of thousands of medical files.
Those whose health records have been stolen in the ransomware attack are struggling to get any information, with the website repeatedly crashing and the 0800 number overloaded.
Cybersecurity and operational technology expert Dr Abhinav Chopra told RNZ the information contained in the breach, like health and personally identifiable data, could be used to access bank accounts.
“Using this information, with phone banking and others, you can easily get access to a number of bank accounts and transfer money, even in this period,” he said.
“Many banks and other institutions will just ask you, ‘Hey, what’s your name, what’s your date of birth, what’s your email address, what’s your phone number’, and some of that information or all of that information is basically in that app, Manage My Health.”
Chopra said the company’s layers of security, like password protection and encryption, weren’t appropriate for the level of sensitive data the company held.
He said the company did not apply about 17 different controls, culminating in a security breach.
“These kind of 101 basics and this stuff, it does need some investment, but when you’re holding critical information like health information and personally identifiable information, these should be your basics,” Chopra said.
On Friday, Manage My Health said it encrypted health data in its database and user passwords.
“[Manage My Health] is an ISO 9001 and ISO 27001-certified organisation,” it said. “We have quality assurance processes with regular testing of our systems.”
Chopra said hackers often targeted people on holiday or out of business hours, so victims couldn’t verify the information given with an official channel.
“Either you are busy doing something and you will just fall for that thing that they have said, or if they have created kind of an emergency kind of situation, then you fall for it,” he said.
“If you even call your own bank or your agency, or someone else, you will be outside of office hours and you will not be able to get that answer back.”
Chopra urged people not to rush into answering what could be a scam email or message.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand
