## Ongoing Concerns Following Manage My Health Data Breach
The recent data breach involving Manage My Health, a popular digital health platform in New Zealand, has prompted significant alarm among users. The company has issued warnings that fraudsters may now be trying to contact individuals affected by the breach by impersonating the online patient portal.
## Notification Updates for Affected Users
Manage My Health reported that most users impacted by the breach have already been notified. However, they have alerted the public that secondary criminals may take advantage of this situation. The organization cautioned that phishing emails and spam messages that appear to originate from Manage My Health could circulate.
In a recent statement, the company emphasized, “We’re also aware that secondary actors may impersonate MMH and send spam or phishing emails to prompt engagement. These communications are not from MMH.” To combat this, the organization is exploring options to mitigate further impersonation attempts and has provided guidance to help users secure their information.
## Details of the Cyberattack
The breach, which occurred late last year, involved unauthorized access to documents within a limited feature of the platform. Cybercriminals allegedly demanded a ransom, threatening to publish sensitive data on the dark web. If exposed, this information could potentially reveal medical details of over 120,000 New Zealanders.
According to Manage My Health, the attack did not compromise live GP clinical systems, prescriptions, or secure messaging. It was limited to documents located in the “My Health Documents” section, such as reports, test results, and certain clinical documents, including hospital discharge summaries related to care in Northland Te Tai Tokerau.
## Immediate Actions Taken by Manage My Health
Upon noticing unusual activity on their system, Manage My Health acted promptly to secure the breached feature. They blocked any further unauthorized access and initiated their incident response plan. Independent cybersecurity experts were brought in to assess the situation and affirm the breach’s scope. The company has confirmed that although the project is ongoing, the breach has since been contained, and the vulnerability has been eliminated.
## Regulatory and Notification Challenges
Manage My Health acknowledged that their initial response led to some individuals being informed prematurely. The organization highlighted the importance of quickly notifying potentially affected patients, even at the risk of some miscommunication. Following forensic examinations, those not affected by the breach were later informed. Users can verify their status by logging into the Manage My Health application, where a green “No Impact” banner indicates they are unaffected.
The company has stated that ongoing notifications are part of their protocol and reflect the complexity of coordinating communication effectively with patients while adhering to regulations set by the New Zealand Privacy Act. This breach has attracted regulatory scrutiny; the Office of the Privacy Commissioner (OPC) has launched an inquiry, with Manage My Health cooperating closely with authorities including health organizations and law enforcement.
## Legal Actions and Security Monitoring
In response to the cyberattack, Manage My Health sought and received an interim injunction from the High Court to prevent any third party from accessing, publishing, or distributing the compromised data. The organization is actively monitoring known data leak websites and is ready to issue takedown requests if necessary.
To enhance security, the company has taken steps such as remediating compromised account credentials, temporarily disabling the Health Documents section, and implementing continuous monitoring. Additionally, broader security improvements are underway, and an independent investigation into the incident continues without specific comments on technical outcomes at this stage.
## User Guidance and Support
Manage My Health has reassured users that they will never request passwords or one-time security codes. The company emphasized the need for vigilance regarding unexpected or urgent communications supposedly from them. Users approached by individuals claiming to possess their health data are urged not to engage and to report the incidents to the New Zealand Police or Manage My Health support.
To aid those concerned about potential identity misuse, Manage My Health has partnered with IDCARE. This partnership provides free, confidential cyber and identity support services across New Zealand and Australia.
In a statement, Manage My Health remarked, “We take the privacy of our clients and staff very seriously, and we sincerely apologize for any concern or inconvenience this incident may have caused.” They continue to prioritize transparency during the ongoing investigations related to the cyberattack.
