A slowly unfolding high profile data breach affecting trans-Tasman health information portal ManageMyHealth has thousands of registered patients on edge as to whether their highly sensitive data has been compromised, and could be leaked onto the internet.
On December 30, ManageMyHealth was notified that ransomware group Kazu had breached its systems and exfiltrated some 108 gigabytes of patient data.
Patients and GPs only learned of the data breach when they visited the ManageMyHealth website, or used the company's mobile app, and were told a cyber security incident was being investigated.
No notification was sent out by ManageMyHealth to users, who learned over several days what had happened from social media postings and ensuing news reports.
ManageMyHealth claims to have signed up 1.85 million patients since 2008.
In a frequently asked questions list posted several days after the data breach, ManageMyHealth indicated that "six-to-seven percent" of users are affected, which amounts to 111,000 to 129,500 people.
The company said it has contained the breach, and that its platform is now secure to use.
It has turned off its mobile app, and is advising people against communicating with Kazu.
ManageMyHealth has also this week been granted a High Court injunction that bans third parties from accessing any data from the breach.
Although Kazu is said to be a ransomware crime group, it appears the data was taken through broken access controls in the ManageMyHealth system.
ManageMyHealth chief executive Vino Ramayah told Radio New Zealand that the attackers "came in through the front door using a valid user password" with a single system module containing health documents from specialist referrals being penetrated.
Kazu has demanded a US$60,000 ($89,230) ransom for the data it has stolen, comprising over 420,000 records, with the criminals posting sample patient information while communicating through Telegram.
The ransomware criminals issued a statement on Telegram saying they deliberately target the healthcare sector as they know how valuable and sensitive health data can be.
Ramayah declined to say if ManageMyHealth would pay the ransom, and told RNZ that his own medical records were in the data breach.
The trans-Tasman patient portal provider now faces an official probe into the breach.
New Zealand minister of Health Simeon Brown announced a review of ManageMyHealth this week to assess the cause of the incident and whether the data protections the company had in place were adequate.
Even if ManageMyHealth is found to have been at fault by the review, New Zealand's privacy legislation provides for relatively low fines of NZ$10,000 (A$8600).
This compares to Australia, where serious breaches can incur fines of up to $50 million, or 30 percent of a company's turnover.
The health portal provider did not respond to questions sent by iTNews regarding the data breach.
ManageMyHealth is an Auckland-based company with offices in Melbourne, and Chennai, India.
The company provides healthcare services that allow GPs to share information such as diagnosis and test results with patients, who can use an online portal to view the data, and also book appointments, request prescriptions and access ManageMyHealth partnered entities.
_(22).jpg&h=140&w=231&c=1&s=0)
_(26).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
