A shocking ransomware attack has compromised the Manage My Health portal, leading to the theft of medical records belonging to over 80,000 residents in Northland, New Zealand. This incident marks a significant breach of sensitive health information, exposing critical documents such as hospital discharge summaries, clinical letters, and referral notifications dating back to 2017.
Health NZ has confirmed that a total of 86,000 individuals in Northland were affected, which accounts for more than 70 percent of all patients impacted nationwide. The cybercriminal group known as Kazu has demanded a ransom of US$60,000 (approximately NZD$105,000) after infiltrating the privately-operated Manage My Health portal and stealing hundreds of thousands of medical files.
This breach specifically impacted 6-7 percent of the platform's 1.8 million registered users, limited to the "My Health Documents" section. Court documents have revealed that 45 GP practices in Northland were involved in this data breach, highlighting the region as the only area where Health NZ utilizes Manage My Health to exchange information with patients.
In the aftermath of the attack, patients faced significant challenges in accessing their compromised records. Reports indicate that website crashes and overwhelmed helplines made it nearly impossible for individuals to obtain information about the breach. The support line, reachable at 0800, frequently disconnected callers, while the patient portal displayed messages indicating it was "temporarily unavailable."
Since the breach was identified on December 30, Manage My Health has informed about half of the 120,000 affected patients. The organization has acknowledged the technical difficulties encountered during this process but insisted that the notification procedure "cannot be simplified" due to the need for tailored approaches for different groups of patients.
Alex Pimm, the group director of operations for Northland at Health NZ, mentioned that the organization is actively seeking funding to assist general practices in providing consultations and mental wellbeing support for those affected. Patients will also gain access to an 0800 support line for discussions regarding their clinical information.
However, the response from Manage My Health has been criticized as "shambolic, frustrating, and slow" by the College of GPs. President Luke Bradford pointed out that GP practices received inconsistent information, with some being given patient counts without names, while others received complete lists of affected individuals.
Cybersecurity expert Vimal Kumar from Waikato University's Cyber Security Lab has voiced concerns over the nine-day delay in notifying affected individuals. He highlighted fundamental security failures, including inadequately configured DMARC (Domain-based Message Authentication, Reporting, and Conformance) protocols.
The breach exposed three primary categories of data: hospital discharge summaries from Northland covering the years 2017 to 2019, documents uploaded by patients such as address changes and health measurements, and referral documents. Emeritus Professor Murray Tilyard, a clinical advisor, confirmed that even deceased patients were included among those affected.
Following the breach, Manage My Health appointed Tilyard as honorary clinical advisor. His responsibilities include assisting practices in identifying vulnerable patients and reaching out to next of kin for deceased individuals whose records have been compromised.
According to interviews conducted by RNZ with Manage My Health, the ransomware group's latest deadline reportedly elapsed at 5 am on Friday. The company refrained from commenting on whether they would comply with the ransom demand or engage with the hackers.
Patients expressed their frustration over conflicting notifications; some initially received emails indicating their data was safe, only to later receive confirmations of breaches. Many reported difficulties in implementing suggested security measures, such as changing passwords, due to system overload.
As patients became aware of the potential exposure of sensitive information—including histories of abuse, mental health records, and details regarding chronic conditions—their privacy concerns intensified. This incident raises critical questions about the ability of private companies to secure highly sensitive health data adequately.
Health NZ has reassured everyone that its own systems remain uncompromised; however, it acknowledges the gravity of any exposure of patient information. The organization emphasized that it takes any issues related to patient information very seriously, even though the breach occurred on a third-party platform.
This incident underscores the escalating threat of ransomware attacks targeting healthcare providers globally, particularly as patient portals offer an attractive opportunity for cybercriminals due to the sensitive nature of medical data and the potential for extortion payments. The healthcare sector in New Zealand faces growing pressure to enhance cybersecurity measures across both public and private institutions.
