Source: Radio New Zealand
Which has better data security – Manage My Health or the KFC app? RNZ / Finn Blackwell / 123rf
Colonel Sanders has better web security than many digital health providers, an IT expert has claimed, saying the government is failing to enforce what minimum standards it has.
It comes after two weeks of bad headlines for hacked patient data portal Manage My Health, and Monday’s revelation oncology provider Canopy Health had been breached in mid-2025, but did not tell anyone for months.
Both services are privately owned. Nearly 2 million people are registered on Manage My Health, mostly via GP practices, while Canopy is the largest private medical oncology provider in the country. About 120,000 Manage My Health users’ data was accessed by hackers, most of them based in Northland.
Callum McMenamin, a web standards consultant who has worked on government website security, told Morning Report on Tuesday he called out Manage My Health’s lax security six months ago.
“The really big problem is no one in the government is checking if these private companies are adhering to digital security standards. The government has created a health information security framework, its standards for health information security, but the government is not checking if those standards are being properly implemented within private companies like Manage My Health or any of the other patient portals that we use.”
Callum McMenamin. RNZ / Samuel Rillstone
He said there should be an “enforceable standard” for providers, who should be penalised if they fail to meet it, else people will “lose trust in the digital health system”.
“There needs to be some kind of approach where maybe private companies are just not allowed to supply digital health systems if they’re not secure enough. Or maybe there should be fines, or maybe they should be asked to make immediate changes to their systems if any issues are found.”
Whether a government-provided service was any less penetrable would depend on the level of security it offered, McMenamin said.
“What it really comes down to is standards – technical standards and how well they are monitored and enforced. So you could make the private sector very secure if those standards are properly implemented and if those standards are of very high quality.
“So I think we probably can have private companies in this sector, but they just need to be properly regulated.”
Manage My Health does offer two-factor authentication – which requires an additional piece of evidence the user says who they are, for example a fingerprint, SMS response code or a third party authentication app. Investigations have found a lack of two- or multi-factor authentication has resulted in other local cybersecurity breaches.
“Some of the public comments from the chief executive of Manage My Health said that the hacker logged in with a valid user password – two-factor authentication is a system that could potentially stop those kinds of attacks from working,” McMenamin said.
“So multi-factor authentication really needs to be mandatory across all accounts for it to be properly effective.
“I noticed that KFC where you order your chicken has mandatory two-factor authentication, but Manage My Health does not have it. So for some reason Colonel Sanders seems to be more secure than our digital health providers.
“[It is] pretty much every service uses it now – Facebook, Instagram, your Apple ID is probably protected by it as well, so it’s just a ubiquitous technology because in the modern age, with all of the information that we upload online, two-factor authentication really is absolutely mandatory. It’s just too risky not to.”
Health providers were finger-lickin’ good targets for hackers, he said, because the data can be used for extortion attempts.
“It does seem that many health organisations have very poor IT security controls in place, so they’re very easy targets. They’re just sitting ducks.”
RNZ has contacted Health NZ and Manage My Health for a response to McMenamin’s claims.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand
