Source: Radio New Zealand
The company has apologised for the breach and hopes to have contacted affected patients by early next week. RNZ / Finn Blackwell
Patients whose health records have been stolen in the Manage My Health ransomware attack are struggling to get any information, with the website repeatedly crashing and the 0800 number overloaded.
Andrea*, who lives in Wellington, said she received an email on Friday, telling her that she had been “impacted” and to log on to Manage My Health for more details.
“Except I can’t log in, as it’s ‘temporarily unavailable’,” she said. “I called the helpline included and was apparently No. 2 in the queue.
“I waited and waited, and had several more ‘Sorry to keep you waiting’ messages, but then at 11 minutes, the call was cut off.
“I called back and there was an automated message saying, ‘Due to the high volume of queries, we are unable to take your call’.”
Andrea tried a couple of times more over the morning, before giving up.
She said she had been prepared to give Manage My Health “the benefit of the doubt” until now.
“First of all, I thought, ‘Well, no news is good news’, but that was not the case, because it turns out I am impacted. Then I was, like, ‘OK, I’ll trust the process’, but I no longer trust the process.
“I naively gave them the benefit of the doubt, but now I’m just angry.”
She messaged the company and planned to lay a formal complaint with the Privacy Commissioner.
Mixed messages
Another patient, Nel*, said she received two emails from Manage My Health on Friday, advising that her health documents had been impacted in the data breach “and offering their sincere apologies”.
“I was directed to the website to log on for more information about the health data that was impacted,” she said. “When I logged on, I was advised I was my personal health data was not affected by the breach.
“It is very hard to have any faith in Manage My Health to ‘manage’ this situation and protect my health information.”
Where were checks and balances, patients ask
Lou* is angry with the criminals behind the ransomware attack – but even more furious with Manage My Health’s “arguably criminal negligence” and poor communication.
“I know for a fact, based on the limited information provided by Manage My Health, that some of my most sensitive information is now in the hands of someone unknown, and there is now a crescendoed risk of me being targeted for scams and potential ID theft.
“The potential documents now hanging in the balance contain a lifetime’s details of health records… hugely vulnerable details of my worst moments, healthwise.
“Beyond that, we have not yet been informed of further data now made available as ammunition.”
It was hard to understand how a private company had been allowed to store highly sensitive information without basic safeguards, Lou said.
Overseas users locked out
A New Zealander currently based overseas said Manage My Health had blocked her ability to secure her account, ironically, for “security reasons”.
The email from Manage My Health informing her that her account had been affected listed three recommended security steps – changing her password, enabling multi-factor authentication and “stay[ing] alert for any unusual account activity”.
“However, because I am overseas, MMH has blocked my ability to access my account.
“The email I received from MMH suggests that this is because of recent steps MMH has taken to tighten security – ‘We’ve added extra checks when people log in and limited how many times someone can try to access the system in a short time’.
“However, as a legitimate user of the MMH system who just happens to be overseas right now, I find myself unable to implement any of the recommended security steps or access any of the information in my MMH account.”
She said she was frustrated with the time Manage My Health had taken to make contact and the additional barriers.
“This is a frustrating over-correction. Not only does it prevent me from taking the steps necessary to secure my information, it also appears to be another privacy breach.
“I can no longer access my own personal health information, without sharing my login details with somebody who is located in NZ, which I imagine is also a breach of MMH’s terms.”
Blank emails
Grant* said he received an email on Friday morning headed “Important: Information About Your Manage My Health Account”, but the email was completely blank.
“I don’t know if my data has been compromised or not.
“My wife opened it with the mobile phone and had the information that my details had been accessed, but trying on the desktop, there’s nothing showing on the email.
Gemma* said she was also told that her account had been impacted, with a “summary” of the incident, but could not get through on the 0800 number provided.
“I called this morning and was 13th in the queue, before it cut me off, and it’s now overloaded and tells you to try again in a hour.
“Needless to say, I still haven’t been able to get through. It does go onto tell you the steps that have been taken.
“The email also says you have the right to complain to the Office of the Privacy Commissioner, but fails to tell you that the OPC won’t accept a complaint, until you have complained to the provider first.”
Manage My Health has apologised for the cyber-security breach and said it hoped to have contacted all affected patients by early next week.
*names changed for privacy reasons
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand
