New Zealand orders review into ManageMyHealth cyberattack
New Zealand health minister Simeon Brown has ordered a review into the cyberattack at ManageMyHealth. Brown told reporters on Monday that he asked the government to begin reviewing the incident, including its cause, scope, the company’s defenses, and the wider impacts on data access across the country. ManageMyHealth is a private company that offers a platform used by medical facilities across New Zealand to access patient health records. According to its website, it handles the data for around 1.85 million locals, and the breach affected an estimated 6-7 percent of them.
“This breach of ManageMyHealth data is incredibly concerning, particularly to the over 100,000 patients and their families who have had their very most personal data, which is their health data, breached through this incident,” Brown said. Brown emphasized that this information represents deeply intimate patient details.
A miscreant going by the name Kazu claimed responsibility for the attack via a cybercrime forum post on December 30. They said the stolen data included more than 428,000 files, which would be opened up for sale if ManageMyHealth did not pay the $60,000 ransom demand by January 15. However, on Telegram, Kazu said on January 3 that all the data would be released within 48 hours if the company did not pay. New Zealand’s official stance on paying ransoms mirrors that of its Western geopolitical allies: do not do it. Kazu released snippets of the data via Telegram, although the links were flagged as abuse material on the file-sharing site and are no longer usable. IT consultant Cody Cooper, who told RNZ he investigated the data involved before the links were taken down, said it includes passport scans, details of patients’ conditions, nude images, and more.
A fact sheet posted to ManageMyHealth’s website states the company believes the incident is contained, and digital forensics experts are now combing the evidence to establish the full extent of the attack. “Our immediate priority is safeguarding the integrity and security of our systems,” said ManageMyHealth. “We are working with independent cybersecurity specialists, the Privacy Commissioner, the New Zealand Police, and Health New Zealand to coordinate our response. We have implemented additional monitoring and security improvements.” ManageMyHealth refused to “speculate” on what kinds of data were included, saying that efforts are still underway to determine what was downloaded and/or accessed. It stated: “‘Accessed’ means an unauthorized party may have viewed or opened files. ‘Downloaded’ means files were copied out of the environment. Independent forensics are being used to confirm what was accessed and what may have been downloaded.” Brown also told media that ManageMyHealth applied for an injunction on Monday to prevent the dissemination of any data that the cybercriminal releases. The company advised users to regularly change their passwords and use authentication apps for multi-factor protection. “If we confirm that your information was affected, we will notify you directly. As a precaution, we recommend following online safety best practices.”