Imagine waking up to the news that your most personal and sensitive health records have been stolen by hackers! This is the reality for over 80,000 residents in Northland, New Zealand, whose medical information was compromised in a devastating ransomware attack.
The attack targeted the 'Manage My Health' portal, New Zealand's largest patient portal, and exposed a staggering 86,000 patient records. This represents a significant breach of trust, with over 70% of affected patients nationwide being from Northland.
The ransomware group, Kazu, demanded a hefty ransom of US$60,000 (NZD$105,000) after stealing hundreds of thousands of medical files. But here's where it gets controversial: the attack was not just about the money. It exposed critical security failures and raised serious questions about the ability of private companies to protect highly sensitive health data.
The breach affected a significant portion of the platform's users, with 6-7% of the 1.8 million registered users impacted. Court documents revealed that 45 GP practices in Northland were part of this data breach, and the region was the only one using 'Manage My Health' for patient communication.
Patients were left in the dark, unable to access information about their compromised data due to technical issues. The support lines were overwhelmed, and the patient portal itself was temporarily unavailable during the notification period.
'Manage My Health' has since notified approximately half of the affected patients, acknowledging technical difficulties but stating that the notification process is complex and cannot be simplified.
The response from the College of GPs was scathing, labeling the company's actions as 'shambolic, frustrating, and slow.' The president, Luke Bradford, noted the conflicting information received by practices, adding to the confusion and frustration.
Cyber security expert Vimal Kumar from Waikato University's Cyber Security Lab criticized the delay in notifications, highlighting basic security failures, including improperly configured DMARC protocols.
The breach exposed three critical categories of data: hospital discharge summaries, patient-uploaded documents, and referral documents. Even deceased patients were not spared, with their records also being compromised.
'Manage My Health' appointed Emeritus Professor Murray Tilyard as an honorary clinical advisor to help identify vulnerable patients and contact next of kin for deceased individuals.
As the ransomware group's deadline passed, Manage My Health remained tight-lipped, refusing to comment on whether they would pay the ransom. Patients expressed frustration over contradictory notifications, adding to the sense of uncertainty and vulnerability.
The privacy concerns are immense. Patients now fear that their sensitive information, including abuse histories, mental health records, and chronic condition details, is in the hands of criminals. This breach raises serious questions about the security measures in place and the ability of private companies to protect such critical data.
Health NZ, while emphasizing the uncompromised nature of its own systems, acknowledged the severity of any patient information exposure. The organization stated that it takes patient information issues very seriously, even when the breach occurs on a third-party platform.
This incident serves as a stark reminder of the growing ransomware threats facing healthcare providers worldwide. Patient portals, with their sensitive medical data, have become attractive targets for extortion. New Zealand's healthcare sector must now confront the urgent need to strengthen cybersecurity protocols across all systems, public and private.
