Source: Radio New Zealand
The hackers, calling themselves ‘Kazu’, posted on Sunday morning that unless the company paid a ransom within 48 hours, they would leak more than 400,000 files in their possession. Supplied
- The day of a deadline for a ransom demand in the massive Manage My Health data leak has arrived.
- It is believed the deadline expires at 5.37am New Zealand time.
- It comes as communication from the country’s largest patient portal is criticised by a former intelligence officer.
The deadline has arrived for the ransom being demanded after hundreds of thousands of medical files were stolen from the country’s largest patient portal.
Manage My Health is still grappling with the massive data breach affecting more than 120,000 of its users.
Health Minister Simeon Brown said the government had a long-standing position that ransoms should not be paid.
Manage My Health said late on Monday, ahead of the deadline, that any ransom demand was a matter for Police.
It said it would not be making any comment about a ransom while an investigation was ongoing.
The platform said it was sincerely sorry for pain and anxiety caused to health providers and patients.
“We acknowledge we could have done a better job at communication,” it said in a statement.
“However, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients.”
It said it would be publishing daily updates with all the information it was able to share.
Simeon Brown, speaking after announcing an urgent review into the breach, said he had raised communication with the platform.
“I spoke to the CEO last week, made my expectations incredibly clear around the need for Manage My Health to be clear and transparent with its communications to the public and its users and to work closely with agencies and to make sure that they are following their advice,” he told RNZ.
Brown described the data disappearing as “pretty unacceptable”.
Health Minister Simeon Brown. RNZ / Mark Papalii
Luke Hogan, a senior technical manager who works at Intellium, said he could not see Manage My Health recovering.
“I don’t know how they’re going to come back from this, it’s a bit tough,” he said.
“For me it’s really, really disappointing that basic cyber security has not been taken seriously.
“From my perspective, health data is right up there with financial data, some of the most critical data that needs to be protected,” he said.
“It’s just very, very disappointing and a little bit shocking as an IT professional to hear that this has happened”.
Will ransom be paid?
While Manage My Health would not be drawn on the ransom, a former intelligence officer said in general they should not be paid.
Antony Grasso had also worked at the Government Communications Headquarters (GCHQ), the United Kingdom’s intelligence, security and cyber agency.
He himself was a Manage My Health user.
“I personally would advise not to, even if it was my own data that was going to get released, which it may be,” he said.
“It’s a tough call without giving the full context but the general rule is not to pay the ransom, that’s the general rule.
“I mean, you’re bargaining with effectively criminals or thieves, and there’s no honour amongst thieves, we know that, and they may release it anyway and it also means we’re a soft touch.”
Grasso said he had not seen Manage My Health take many tangible actions after the breach.
“You know, just as a general bod on the street, I don’t feel like they will necessarily have had a good plan for the response,” he said.
“I haven’t seen a lot of transparency and I haven’t seen a lot of action that I would expect for a company that’s holding that much private information.”
Grasso hoped security companies used by the platform would be dumped and have nothing to do with it in the future.
“Because clearly, somebody’s dropped the ball.”
‘Rumours for some time’ – Deputy Privacy Commissioner
Deputy Privacy Commissioner Liz MacPherson told RNZ she believed issues had surfaced in the past.
“As I understand it there have been rumours for some time but the issue we’ve got is that there are white knight hackers and others out there who do raise these issues, quite often it’s very difficult to know whether these people are actually hackers themselves or whether they are white knights, so it’s difficult to police,” she said.
A white knight is a hacker who acts with good intentions to get vulnerabilities fixed.
“So as I understand it, these issues have been drawn to Manage My Health in the past and I think to some media outlets as well,” MacPherson said.
Liz MacPherson. RNZ / Dom Thomas
She said the Office was irked by widespread complacency around cyber security.
“The frustration for us at the Office of the Privacy Commissioner is that we continue to see complacency from, and this is across the board… a continuation of the ‘it’ll happen to somebody else, not to me’ type approach,” she said.
“And you have to ask the question, is the lack of a penalty regime part of that?”
MacPherson said fines in Australia used to be around $3.3 million but had risen significantly.
“So the major breaches risk fines of up to greater than $50m AUD, which is three times the financial gain from the breach, or 30 percent of the company’s turnover.
“I guess what I’m saying to you is that we didn’t even have the lower level fines that they had, which were around 2 to $3 million,” she said.
“We don’t have any penalties, we do not have a civil penalty rating.”
What Manage My Health says
Manage My Health, in its latest update, said it wanted to reassure the public that its team had been working tirelessly through the holiday period.
“Secondly, we have been working as part of a cross-sector group to implement processes to begin communication with affected practices and patients,” it said.
“We acknowledge that this delay has been a cause for concern.”
The platform said it welcomed the review launched by the Health Minister and it would fully cooperate.
It said its international team was monitoring known data leak websites and was prepared to issue takedown notices immediately if any stolen information was posted.
It had also obtained a High Court injunction preventing third parties from accessing data posted as a result of the cyber attack.
The High Court in Wellington has confirmed to RNZ it received an application for an injunction.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand
