A significant data breach has emerged concerning ManageMyHealth, a trans-Tasman health information portal, leaving many of its 1.85 million registered patients anxious about the security of their sensitive information. The breach, which reportedly involved a ransomware group known as Kazu, has raised alarms about the potential exposure of around 108 gigabytes of patient data to the internet.
The breach was first acknowledged on December 30 when ManageMyHealth was notified of unauthorized access to its systems. Users were informed about a cybersecurity incident only when they attempted to log in to the portal, leaving many oblivious to the breach until social media and news reports surfaced. No proactive notifications were dispatched to users from ManageMyHealth regarding this serious security lapse.
According to ManageMyHealth, approximately six to seven percent of its users may be affected by the breach, which translates to an estimated 111,000 to 129,500 individuals. The company has stated that it has contained the breach and reset its mobile application, simultaneously advising against any communication with the attackers. This move comes in light of a High Court injunction recently obtained by ManageMyHealth, which prohibits third parties from accessing any stolen data.
CEO Vino Ramayah disclosed to Radio New Zealand that the attackers exploited vulnerabilities in ManageMyHealth’s system, gaining access through a legitimate user password. This approach exemplifies initial access tactics outlined in the MITRE ATT&CK framework, potentially involving credential access techniques through phishing or exploitation of weak password policies.
In the aftermath, Kazu has demanded a ransom of $60,000 for the stolen data, threatening to release sensitive patient information if their demands are not met. This form of intimidation underscores a concerning trend in which ransomware groups specifically target the healthcare sector, driven by the high value of personal health data.
As authorities investigate the incident, New Zealand’s Minister of Health, Simeon Brown, has announced a formal review of ManageMyHealth’s cybersecurity measures to determine the effectiveness of existing data protection protocols. Should the review find the company at fault, it is important to note that New Zealand’s privacy legislation imposes relatively modest fines compared to jurisdictions such as Australia, where breaches of this magnitude could incur penalties as high as $50 million.
While ManageMyHealth refrained from responding to inquiries from iTNews regarding the breach, it remains critical for organizations in the healthcare sector to reinforce their cybersecurity frameworks. As this incident unfolds, it highlights the necessity for vigilance in addressing potential vulnerabilities and the implementation of robust risk management strategies.
The rapidly evolving realm of cyber threats emphasizes the importance for business owners to become educated about these risks. Awareness and readiness against such incidents can significantly mitigate potential damage, ensuring the integrity of sensitive patient information and maintaining trust within the healthcare infrastructure.
