Imagine waking up to the news that your most personal health records, containing intimate details about your body and mind, have been stolen by cybercriminals. This is the reality for over 80,000 Northland residents, whose medical records were compromised in a devastating ransomware attack. But here's where it gets controversial...
The attack targeted New Zealand's largest patient portal, 'Manage My Health', which stores sensitive health information for 1.8 million users. The breach exposed a staggering 86,000 patient records, including hospital discharge summaries, clinical letters, and referral notifications dating back to 2017.
Health NZ, the organization responsible for managing patient data, confirmed that Northland was the hardest-hit region, with over 70% of affected patients nationwide residing there. The ransomware group, Kazu, demanded a hefty ransom of US$60,000 (NZD$105,000) after stealing hundreds of thousands of medical files.
The impact of this cyber incident was felt by 6-7% of the platform's users, specifically within the 'My Health Documents' module. Court documents revealed that 45 GP practices in Northland were affected, making it the only region where Health NZ utilized Manage My Health for patient communication.
Patients faced additional challenges when trying to access information about the breach. Website crashes and overloaded helplines left many in the dark, with the 0800 support number repeatedly disconnecting callers. The patient portal displayed 'temporarily unavailable' messages, further frustrating those seeking answers.
Manage My Health has since notified approximately half of the 120,000 affected patients, acknowledging technical difficulties but stating that the notification process is complex and cannot be simplified.
The response from Health NZ and Manage My Health has been criticized as 'shambolic' and 'frustratingly slow' by the College of GPs. Cyber security experts have also pointed out basic security failures, such as improperly configured DMARC protocols, which contributed to the breach.
The exposed data included three categories: Northland hospital discharge summaries from 2017-2019, patient-uploaded documents like address changes and health measurements, and referral documents. Even deceased patients were not spared, with their records also being compromised.
In the aftermath, Manage My Health appointed Emeritus Professor Murray Tilyard as an honorary clinical advisor. His role involves helping practices identify vulnerable patients and contacting next of kin for deceased individuals.
As the ransomware group's deadline passed, Manage My Health remained tight-lipped about whether they would pay the ransom or engage with the hackers. Patients expressed frustration over contradictory notifications, with some receiving initial messages stating their data was safe, only to be informed later that their records were indeed compromised.
The breach has raised serious privacy concerns, as patients realize that sensitive information about abuse histories, mental health, and chronic conditions is now potentially in the hands of criminals. It highlights the risks associated with private companies storing highly sensitive health data without robust security measures.
Health NZ emphasized that their own systems remain uncompromised but acknowledged the severity of any patient information exposure. They stated, "We take any issue involving patient information very seriously, even when it occurs on a third-party platform."
This incident serves as a stark reminder of the growing ransomware threats facing healthcare providers worldwide. Patient portals, with their wealth of sensitive medical data, have become attractive targets for cybercriminals seeking extortion payments. New Zealand's healthcare sector must now confront the urgent need to strengthen cybersecurity protocols across all systems, public and private.
