Hackers linked to the cyberattack on Manage My Health have resurfaced online with a new, cryptic message, despite a High Court injunction aimed at stopping the spread of stolen patient data.
The group posted the message, “New 10 GB samples will be shared soon !!!”, a day after deleting all previous posts related to the breach. It is unclear what the hackers mean by “samples” or whether any additional data has been released. The post appeared after Manage My Health secured an interim High Court injunction on Tuesday night preventing anyone from accessing, sharing, or publishing the stolen information and requiring its deletion by anyone who holds it.
As the legal process unfolds, Manage My Health has begun notifying affected users. The company said email notifications started this week and are expected to be completed by early next week. On Thursday, it confirmed that the first 50% of affected patients had already been contacted.
“These email notifications will include an 0800 number that impacted individuals can call for support and assistance should they require,” the company said.
Some users have reported difficulty accessing information online, with RNZ receiving reports of the Manage My Health website crashing amid heavy traffic. Others said they were repeatedly logged out while trying to view updates, prompting some patients to contact their general practices directly for confirmation.
Manage My Health said it intentionally redirected its mobile app to the web application to ensure consistent information during the notification process.
“Visitors to our app will see a pop-up notification alerting them to this. This is intentional. The mobile app will be restored in time and users will be notified of this.”
The company said it was managing communications centrally to avoid “multiple or confusing notifications,” a stance supported by General Practice New Zealand, but some practices have independently informed patients after being given access to lists showing which records were affected.
Based on current findings, Manage My Health said between 6% and 7% of its approximately 1.8 million registered users were impacted - or between 108,000 and 126,000 people. The unauthorised access was limited to the “My Health Documents” module, which stores documents including those uploaded by users.
Most of the affected data originated from Northland, involving around 45 general practices. The information included discharge summaries and referral records that were six to eight years old. A further 355 referral-originating practices across several regions were also affected, along with personal health information uploaded by patients.
Manage My Health has also begun notifying general practices, including those that no longer use the platform, through a secure portal in line with Privacy Act requirements. Practices can see which patients were affected and what types of records were accessed.
The company confirmed that patient accounts and historical records are not automatically deleted when a general practice stops using the service. Chief executive Vino Ramayah said it is up to patients to close their accounts if they want their data removed.
“When… a practice leaves Manage My Health, the patients have a choice to continue to use Manage My Health or they can close the application, in which case we will delete the data,” Ramayah said.
“It’s essentially patient data - we need their consent because we’ll be wiping out a lot of their historical data, so that is why it is stored.”
Hackers identifying themselves as “Kazu” had earlier demanded a ransom of US$60,000 (NZ$103,000), threatening to release hundreds of thousands of files if payment was not made.
Insurance Business NZ
