The company has apologised for the breach and hopes to have contacted affected patients by early next week. Photo: RNZ / Finn Blackwell
Patients whose health records have been stolen in the Manage My Health ransomware attack are struggling to get any information, with the website repeatedly crashing and the 0800 number overloaded.
Andrea*, who lives in Wellington, said she received an email on Friday, telling her that she had been "impacted" and to log on to Manage My Health for more details.
"Except I can't log in, as it's 'temporarily unavailable'," she said. "I called the helpline included and was apparently No. 2 in the queue.
"I waited and waited, and had several more 'Sorry to keep you waiting' messages, but then at 11 minutes, the call was cut off.
"I called back and there was an automated message saying, 'Due to the high volume of queries, we are unable to take your call'."
Andrea tried a couple of times more over the morning, before giving up.
She said she had been prepared to give Manage My Health "the benefit of the doubt" until now.
"First of all, I thought, 'Well, no news is good news', but that was not the case, because it turns out I am impacted. Then I was, like, 'OK, I'll trust the process', but I no longer trust the process.
"I naively gave them the benefit of the doubt, but now I'm just angry."
She messaged the company and planned to lay a formal complaint with the Privacy Commissioner.
Patient health portal Manage My Health said there's no scenario where they can instantly notify those affected by a data breach.
In a statement released this evening, the company said it understood how patients were feeling, but the notification process could not be simplified.
"We understand it is distressing and appreciate the frustration at the timing of communications. However, this is a complex exercise which unfortunately cannot be simplified due to the separate cohorts of patients affected which have to be dealt with in different ways."
Mixed messages
Another patient, Nel*, said she received two emails from Manage My Health on Friday, advising that her health documents had been impacted in the data breach "and offering their sincere apologies".
"I was directed to the website to log on for more information about the health data that was impacted," she said. "When I logged on, I was advised I was my personal health data was not affected by the breach.
"It is very hard to have any faith in Manage My Health to 'manage' this situation and protect my health information."
Where were checks and balances, patients ask
Lou* is angry with the criminals behind the ransomware attack - but even more furious with Manage My Health's "arguably criminal negligence" and poor communication.
"I know for a fact, based on the limited information provided by Manage My Health, that some of my most sensitive information is now in the hands of someone unknown, and there is now a crescendoed risk of me being targeted for scams and potential ID theft.
"The potential documents now hanging in the balance contain a lifetime's details of health records... hugely vulnerable details of my worst moments, healthwise.
"Beyond that, we have not yet been informed of further data now made available as ammunition."
It was hard to understand how a private company had been allowed to store highly sensitive information without basic safeguards, Lou said.
Overseas users locked out
A New Zealander currently based overseas said Manage My Health had blocked her ability to secure her account, ironically, for "security reasons".
The email from Manage My Health informing her that her account had been affected listed three recommended security steps - changing her password, enabling multi-factor authentication and "stay[ing] alert for any unusual account activity".
"However, because I am overseas, MMH has blocked my ability to access my account.
"The email I received from MMH suggests that this is because of recent steps MMH has taken to tighten security - 'We've added extra checks when people log in and limited how many times someone can try to access the system in a short time'.
"However, as a legitimate user of the MMH system who just happens to be overseas right now, I find myself unable to implement any of the recommended security steps or access any of the information in my MMH account."
She said she was frustrated with the time Manage My Health had taken to make contact and the additional barriers.
"This is a frustrating over-correction. Not only does it prevent me from taking the steps necessary to secure my information, it also appears to be another privacy breach.
"I can no longer access my own personal health information, without sharing my login details with somebody who is located in NZ, which I imagine is also a breach of MMH's terms."
Blank emails
Grant* said he received an email on Friday morning headed "Important: Information About Your Manage My Health Account", but the email was completely blank.
"I don't know if my data has been compromised or not.
"My wife opened it with the mobile phone and had the information that my details had been accessed, but trying on the desktop, there's nothing showing on the email.
Gemma* said she was also told that her account had been impacted, with a "summary" of the incident, but could not get through on the 0800 number provided.
"I called this morning and was 13th in the queue, before it cut me off, and it's now overloaded and tells you to try again in a hour.
"Needless to say, I still haven't been able to get through. It does go onto tell you the steps that have been taken.
"The email also says you have the right to complain to the Office of the Privacy Commissioner, but fails to tell you that the OPC won't accept a complaint, until you have complained to the provider first."
Manage My Health has apologised for the cybersecurity breach and said it hoped to have contacted all affected patients by early next week.
Manage My Health said it was aware of some users facing technical difficulties like receiving emails, accessing the patient portal and viewing documents in their account.
It directed those people to contact them using the existing methods.
The company said its focus was on direct communications with those affected by the breach.
"MMH would like to reiterate its sincere apology to those impacted by this criminal cyber breach," it said.
It said all remaining patients affected by the breach were expected to be notified by early next week.
"More than half of all impacted patients have now received a notification email."
Manage My Health said it was unable to provide any comment on the hacker, Kazu, or any ransom demand.
*names changed for privacy reasons
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
