A Wellington law firm is looking to do something about the Manage My Health data breach. Any thoughts on whether it's a good or bad idea to join them?
A Wellington law firm is looking to do something about the Manage My Health data breach. Any thoughts on whether it's a good or bad idea to join them?
#NZ #Privacy Petition, following on from #ManageMyHealth breach
There's a new petition on the NZ Parliament site, to 'Strengthen enforcement powers and penalties under the Privacy Act 2020' - https://petitions.parliament.nz/88fd4852-1539-419c-af36-08de4ca872ae?lang=en.
It was initiated by Katja Feldtmann, who spoke to RNZ about it -https://www.rnz.co.nz/news/political/584086/cyber-security-expert-launches-petition-to-parliament-calling-for-harsher-penalties-for-privacy-breaches.
#NZ #Privacy Petition, following on from #ManageMyHealth breach
There's a new petition on the NZ Parliament site, to 'Strengthen enforcement powers and penalties under the Privacy Act 2020' - https://petitions.parliament.nz/88fd4852-1539-419c-af36-08de4ca872ae?lang=en.
It was initiated by Katja Feldtmann, who spoke to RNZ about it -https://www.rnz.co.nz/news/political/584086/cyber-security-expert-launches-petition-to-parliament-calling-for-harsher-penalties-for-privacy-breaches.
Keith Ng at the Herald has a good summary of what's known and where we're at.
"MMH has confirmed that only a single stolen user account was used in the attack. Posing as a normal user, the hackers were able to trick the application interface into providing the files for 127,000 other users. The control mechanisms meant to stop one user from accessing other users’ files had failed, or did not exist."
It sounds like they accessed one person's files, then trimmed the URL to move up a directory or two where they found paydirt.
So less of a hack, more of a problem with poor or non-existent security.
Keith Ng at the Herald has a good summary of what's known and where we're at.
"MMH has confirmed that only a single stolen user account was used in the attack. Posing as a normal user, the hackers were able to trick the application interface into providing the files for 127,000 other users. The control mechanisms meant to stop one user from accessing other users’ files had failed, or did not exist."
It sounds like they accessed one person's files, then trimmed the URL to move up a directory or two where they found paydirt.
So less of a hack, more of a problem with poor or non-existent security.
Despite nagging from my local surgery, I've never signed up for Manage My Health. But in the last two weeks I've had six emails like this. Clearly I'm in the database without my permission. Can anyone shed light on this?
If your GP practice uses MMH or has used it in the past, you're on their system, whether or not you enrol for their service.
@RedRobyn declined the service, but may have documents at risk because the GPs use it.
@oseiler reports despite their GP practice switching from MMH to another provider, MMH kept all their records. They also received a message to say their data wasn't stolen, followed by another saying it had been.
MMH confirms that unless each individual customer closes their account, it remains active in the background, forever. I wonder how many of their claimed 1.8m users are actually zombie accounts?
In terms of breach management, MMH has ballsed-up their response spectacularly.
Given the lack of transparency around the ManageMyHealth breach, Auckland software developer Marcus Crane has put together a damn good summary of what is known so far.
He's even swapped messages with the hacker/s.
Given the lack of transparency around the ManageMyHealth breach, Auckland software developer Marcus Crane has put together a damn good summary of what is known so far.
He's even swapped messages with the hacker/s.
Cybersecurity analysis of #ManageMyHealth finds serious deficiences. Looks like a #DataBreach was inevitable. Better #infosec needed. Similar question for many large organisations NZers trust with their data and privacy.
https://blackveil.co.nz/blog/managemyhealth-breach-analysis-2025
Cybersecurity analysis of #ManageMyHealth finds serious deficiences. Looks like a #DataBreach was inevitable. Better #infosec needed. Similar question for many large organisations NZers trust with their data and privacy.
https://blackveil.co.nz/blog/managemyhealth-breach-analysis-2025
One wrinkle with this whole Manage My Health thing is how they retain data for customers they no longer have. I know this because my local practice switched from Manage My Health to MyIndici, but our Manage My Health accounts were kept open, with no indication the accounts would ever be closed or data deleted.
I complained to my local practice earlier in the year, and eventually got the answer that Manage My Health were the ones who made the call to retain the data.
One wrinkle with this whole Manage My Health thing is how they retain data for customers they no longer have. I know this because my local practice switched from Manage My Health to MyIndici, but our Manage My Health accounts were kept open, with no indication the accounts would ever be closed or data deleted.
I complained to my local practice earlier in the year, and eventually got the answer that Manage My Health were the ones who made the call to retain the data.
Active thread with an update on Kazu hack of #ManageMyHealth
https://bsky.app/profile/utf9k.net/post/3mbd43ipkzc2f
#ManageMyHealth will start notifying users of #DataBreach and next actions soon. Company now working with NZ #Privacy Commissioner.
#AoNZ #InfoSec
https://www.rnz.co.nz/news/national/583030/managemyhealth-reveals-scope-of-data-breach
#ManageMyHealth will start notifying users of #DataBreach and next actions soon. Company now working with NZ #Privacy Commissioner.
#AoNZ #InfoSec
https://www.rnz.co.nz/news/national/583030/managemyhealth-reveals-scope-of-data-breach
Active thread with an update on Kazu hack of #ManageMyHealth
https://bsky.app/profile/utf9k.net/post/3mbd43ipkzc2f
Whelp, it was lovely having private medical records. Shame it didn't last.
Here's a policy I'd like to see included in a comprehensive digital-age privacy protection bill;
If a company stores people's personal information, they must supply;
* a single-click way to delete an account and all its data
* a phone number those people can call and get immediate assistance, or failing that, an automated callback
* an address those people can email and get a response within 48 hours. In case they want to have a written record of their interaction with the company
A couple of months back, I evaluated the privacy policy of ManageMyHealth.co.nz (MMH);
https://mastodon.nzoss.nz/@strypey/114862089185059650
TL;DR Nuke it from orbit, it's the only way to be sure.
Since then, I've been getting nagmails from MMH trying to get me to use their platform. Today I tried figure out how to get this spam to stop.
(1/?)
Well, I finally got around to evaluating the #ManageMyHealth portal;
https://managemyhealth.co.nz/about-us/
When my GP suggested I sign up with it, I presumed it was a public service offered by Te Whatu Ora, like My Health Record;
https://www.tewhatuora.govt.nz/health-services-and-programmes/digital-health/my-health-record
So what do I think of Manage My Health? Not impressed. This is a privately-owned, for-profit digital platform, that I can't be certain isn't #DataFarming patients who sign up with it.
(1/?)
