Health Minister Simeon Brown. Photo: RNZ / Mark Papalii
Health Minister Simeon Brown has commissioned a review by the Ministry of Health into the response to a cyber security breach into patient information on ManageMyHealth.
ManageMyHealth also revealed today that it had filed papers in court seeking an injunction as it grapples with the major data breach.
The application has been lodged in the High Court at Wellington. No hearing date has been set.
Hackers have threatened to release 400,000 stolen documents from patient files if ManageMyHealth doesn't pay by Tuesday.
Brown told a media conference that ManageMyHealth was seeking an injunction on patient data being used publicly, but that was being managed by the company.
Other work was also being done to minimise any damage, he said.
"We are taking this very seriously and doing everything we can."
"People who hold data are responsible for that," he said. "It is the agency that holds that data that has responsibility."
He said it would also be up to ManageMyHealth to notify those affected, but health data was among the most personal information and needed to be protected to a higher standard.
"We need to do better," he said.
'I think it's a very serious breach' - Health Minister
Brown told RNZ the breach was not acceptable.
"I think it's a very serious breach, it's not just the large number of New Zealanders impacted, over 100,000, but it's the nature of the information that has been breached.
"New Zealanders have a right to expect that their data, which is being held by entities, whether public or private, is being held to the highest of standards," Brown said.
"I think there's certainly lessons that need to be learned, I think it's pretty unacceptable what's happened to be honest.
"I think many New Zealanders will be very concerned about this. "
The minister said people needed to have trust and confidence in digital tools used across the health system.
But he said in this case, ManageMyHealth was "ultimately responsible" for managing the breach.
"They should be making sure that data is protected," he said.
"They are responsible under the Privacy Act for notifying their patients and we are, as government, providing them a significant amount of support to help them through that process."
Brown said he would not pre-judge the outcome of the review.
He said he had asked the Ministry of Health to put the process together for the review and once that was done there would be further announcements and detail.
The ministry will carry the cost of the review, and the minister said he did not know at this stage how much it would cost.
"But ultimately I think New Zealanders would expect that something like this would be done because lessons need to be learnt."
He said the data involved people's most personal and private information and they expected those holding their data to hold it to a very high standard.
"And that's the expectation that I have as well as Minister of Health."
The government's long-standing position was that ransoms should not be paid, he said.
"Ultimately, these are criminal actors who act with criminality."
Brown said he spoke with ManageMyHealth's chief executive last week and he made "expectations incredibly clear" around the need for it to be clear and transparent in communications with the public and its users, and to work closely with other agencies.
"Since then, obviously, agencies have set up an incident management team and are working very closely with Manage My Health around the clock."
When asked if he was seeking assurances from other similar health platforms about their security, the minister said the current breach was the main focus.
Brown wanted the review to start as quickly as possible, he said.
The minister has written to the Director-General of Health asking that the review will commence by the end of the month.
The purpose of the review was laid out in Brown's letter, and included:
- to assess the cause of the incident
- to review the adequacy of data protections in place, and the response to the incident
- to recommend any improvements required to prevent similar incidents in future
The letter set out that the review should begin as soon as possible, but noted it was "important that the review does not distract from the immediate response to the incident".
Brown said Health NZ had been advised there was no impact on its systems, and it was working with GPs to find out how patients may be affected.
The confirmation of a review came five days after ManageMyHealth claimed on New Year's Eve a cybersecurity breach involving unauthorised access to its systems had been "contained".
The company, which hosts New Zealand's largest patient information portal, the next day said up to 7 percent of its roughly 1.8 million registered users may have been impacted - about 126,000 people.
The hackers on Sunday threatened to leak more than 400,000 files unless the company paid them $60,000.
They had accessed the medical documents section of the ManageMyHealth app, and samples of documents for potential "buyers" included clinical notes, lab results, passport details and photos of people's bodies.
Brown said a team had been meeting daily to co-ordinate advice and support across government agencies and he had been receiving daily updates since 1 January.
"I know this breach will be very concerning to the many New Zealanders who use ManageMyHealth, and we need assurances around the protection and security of people's health data," Brown said.
"We must learn from this incident, to avoid any repeat events in the future."
He had earlier told RNZ it was a "deeply serious situation" and a "big wake-up call".
It was unknown where the hackers, calling themselves Kazu, were operating from, he said.
Meanwhile, ManageMyHealth has identified all patients who have had their health records stolen - but cannot yet say when they will all be told.
A spokesperson for ManageMyHealth said it hoped to have an update later in the week once all the communications with GPs and affected patients had been co-ordinated with the Ministry of Health, Health NZ, Privacy Commissioner and GPNZ.
"We are not waiting to determine who is affected - we know."
The company was working to provide "a timeframe for communications" by Tuesday.
Because the health documents originated from multiple sources, there were many different agencies with obligations under the Privacy Act and the Health Information Privacy Code to notify affected individuals.
"This requires co-ordination to ensure we meet our legal obligations and do not create confusion for patients by having different organisations contact them separately about the same incident."
The spokesperson said it would "not be appropriate to comment" on specific technical matters while the review was ongoing.
"What we can confirm is that we became aware of this incident on 30 December when we were notified by a partner, and we notified the relevant authorities that same day. The specific vulnerability that allowed unauthorised access has been identified, patched, and independently verified by external cybersecurity specialists."
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
