Source: Radio New Zealand
Health Minister Simeon Brown. RNZ / Mark Papalii
Health Minister Simeon Brown has commissioned a review by the Ministry of Health into the response to the cyber security breach involving patient information on ManageMyHealth.
In a statement, Brown said patient data is incredibly personal and whether it is held by a public agency or a private company, it must be protected to the highest of standards.
“I have decided to commission the Ministry of Health to lead a review of the ManageMyHealth and Health New Zealand’s response.”
The minister has written to the Director-General of Health asking that the review will commence by the end of the month.
ManageMyHealth had identified all the patients who have had their health records stolen – but cannot yet say when they will all be told.
The group, calling themselves “Kazu”, have threatened to release more than 400,000 unless a ransom is paid.
A spokesperson for ManageMyHealth said it had identified all those affected, and hoped to have an update later in the week once all the communications with GPs and affected patients had been coordinated with the Ministry of Health, Health NZ, Privacy Commissioner and GPNZ.
“We are not waiting to determine who is affected – we know.”
The company was working to provide “a timeframe for communications” by Tuesday.
Because the health documents originated from multiple sources, there were many different agencies with obligations under the Privacy Act and the Health Information Privacy Code to notify affected individuals.
“This requires coordination to ensure we meet our legal obligations and do not create confusion for patients by having different organisations contact them separately about the same incident.”
Meanwhile, an independent forensic investigation was currently underway, and it would “not be appropriate to comment” on specific technical matters while that was ongoing.
“What we can confirm is that we became aware of this incident on 30 December when we were notified by a partner, and we notified the relevant authorities that same day. The specific vulnerability that allowed unauthorised access has been identified, patched, and independently verified by external cybersecurity specialists.”
‘Big wakeup call’
Brown earlier said the cyber breach of the country’s largest patient information portal was a “big wakeup call”, telling Morning Report he was incredibly concerned.
“It’s a deeply serious situation,” he said.
“I’ve been briefed a number of times by health officials who are working very closely with ManageMyHealth in regard to the notification process.”
He said ManageMyHealth was also working with the Privacy Commissioner and the National Cyber Security Centre, who were providing them with advice around the notification process.
Brown said his expectation was that they do it as quickly as possible, but they also had to do it accurately as well, and in compliance with the Privacy Act.
“There’s a number of processes they have to go through. My expectation is that they do that as quickly as possible so that patients who have had data breached are aware of that and of what data has been breached,” he said.
Brown said the advice he’s received was that the cyber hackers had only released a very small portion of data as part of their attempt in order to receive a ransom payment.
There was a forensic process underway at the moment to go through and identify who’s been impacted and then the process of notification, which is what Manage My Health was doing, he said.
Brown said the group were using hacked information in order to receive a financial reward, but they did not know where they were operating from.
“The reality is that here is a big wakeup call in terms of the protection of private health data and their need for that to be held in the most secure form possible so that patients can have confidence in how it is being used,” he said.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand
