I started to write a long article about the Manage My Health hacking fiasco, but for simplicity I have opted for a series of bullet points and a final comment.
• Manage MyHealth (MMH) is a New Zealand digital health company that runs an online system connecting patients with their GP practices and other primary-care providers
• It holds records for around 1.7–1.8 million users and on New Year’s Eve the MMH site is hacked and an estimated 430,000 patient records were captured and a ransom demanded.
• Eight days later, in an RNZ interview MMH CEO Vino Ramayah admitted the attackers “got in through the front door” using a valid user password (i.e., a credential-based intrusion). So, this wasn’t some sophisticated state-sponsored cyber assault, someone simply got hold of a working login and used it. That’s it.
• Health Minister Simeon Brown tried to down play this massive data breach by saying the breach was “concerning” and was very quick to point out that MMH is a private company and not a government agency - implying of course that it really wasn’t the government’s problem
And now we get to the heart of it.
• The bullshit neoliberal mantra that the government should not be in the marketplace “because business knows best” has once again created a horrendous problem impacting the lives of many thousands of Kiwis.
Why? Because the one of the ways businesses return profits to their shareholders is to cut back on staff and maintenance.
• Six months earlier an anonymous tipster contacted both Manage My Health and the Office of the Privacy Commissioner warning that user names, email addresses, and passwords were exposed by the platform. Both the company and the regulator were put on notice that something was seriously wrong.
• Callum McMenamin – a web standards consultant- had also publicly questioned Manage My Health’s authentication processes on Linked In some 6 months earlier . He said they were putting “millions of New Zealanders’ health information at significant security risk” and tagged the company directly. They ignored him.
• Multi-factor authentication, now standard in banking, would have prevented this disaster, but of course that would have eaten into the company’s profits .
• What penalties will MMH face? Probably none. Oh there will be an inquiry. Minister Brown may repeat how “concerned” he is, but unless Cabinet give the Privacy Commissioner more powers, he can only advise companies, he cannot demand changes to the computer systems of private companies.
• The history of data breaches in New Zealand tells us there is no government appetite for imposing penalties. .
• In May 2021, the Waikato DHB was hit by hackers who compromised 611 servers across five hospitals. Personal information of more than 4,200 patients and staff were stolen and it resulted in surgical operations being disrupted for months.
The result? No fine.
•The Mercury IT ransomware attack in December 2022 hit coronial files, post-mortem reports, and bereavement records.
• The Latitude Financial breach in 2023 exposed the personal data of around a million Kiwis. Nearly three years on, the under resourced Privacy Commissioner still hasn’t finished investigating it.
• Then there was Tū Ora Compass Health PHO. When that breach was discovered in 2019, investigators found attacks dating back to 2016 with up to one million New Zealanders were potentially affected.
Penalties imposed? Zilch!
• The maximum fine set in 1993 remains at $10,000 and Commissioner Michael Webster has asked successive governments for the penalty to be increased. Instead the Coalition Government cut his budget by $2.1 million over four years.
Conclusion
This is how the risk gets socialised while accountability is privatised. A company cuts corners to maximise profits, the government makes sure the regulator is starved of revenue to be able to do a proper investigation, and the business lobby is kept happy.
To hell with the fact that the most intimate details of thousands of New Zealanders are now for sale on the dark web and in criminal hands.
Is Minister Brown going to do anything constructive to prevent future breaches and give the Privacy Commission the ability to hire more staff and impose hefty fines?
Don’t hold your breath!
This post has now been made free thanks to the generosity of my paid subscribers who support my public journalism.
If you are a Free Subscribers please consder upgrading to Paid. I need you help to keep going.
For $10 a month including GST ( less than a cup of coffee a week) you can gain full access to all my paywalled fourth estate articles,documentaries and podcasts, plus you will get to comment in a chatroom of thoughtful Kiwis who care about our country and where it is going, in a troll- free social media environment.
To my paid subscribers, thank you for your ongoing support. I have had quite a few drop offs in subscriptions lately - expired gifts or credit cards expired. I know it’s tough for people at the moment , but I have to find a way of keeping my Substack going. Please consider giving a Subscription to a friend or whanau.
Thanks for the summary Bryan. I tried to access my MMH account a few days ago. I saw a notice telling me to change my password. I cannot do that as a captcha blocking access will not recognise me aa a human being. My account is inaccessible, I cannot change my password and I have had no communication from my GP clinic. I view MMH and the Ministry of Health equally culpable here. I think I should have been informed by my GP practice when I or they opened this account that it was run by a private company. I would have asked that my records be kept out of private hands but I was never given this choice. Simeon Brown might be sitting on his hands now but pretty soon he is going to have to accept liability for this fiasco. My surgery was delayed by about 2 years when the Waikato DHB was hacked. My health records are somewhere - probably on the dark web - and for sale to the highest bidder. DHBs cannot even access patient health data from each other. And in the end nobody will/can investigate these flagrant breaches of data and trust.
Te Whatu Ora - in Northland at least - is still actively promoting the use of Manage My Health.
https://info.health.nz/hospitals-services/hospitals/northland/accessing-your-health-information
How many people enrolled in Manage My Health because of the recommendation by Te Whatu Ora?
How many people believed that if Te Whatu Ora was promoting Manage My Health that it must be a secure portal?