��һ�ǿ�����

• More than 108,000 ManageMyHealth users are affected by a cyber data breach.
• CEO Vino Ramayah confirmed the breach and said affected users would be notified within 48 hours.
• The Privacy Commissioner, police and Ministry of Health have been notified.

More than 120,000 people who use the ManageMyHealth portal are thought to have been caught up in yesterday’s cyber data breach.

They should start hearing from the company in the next 48 hours about whether and how their private medical information has been accessed.

ManageMyHealth is an online service connecting patients with clinicians and allows people to access their medical records.

It is said to be New Zealand’s largest patient information portal.

Yesterday, ManageMyHealth CEO Vino Ramayah confirmed a cyber security incident had been identified on Wednesday involving “unauthorised access” to the platform.

He said the incident had been contained and was under investigation.

But he could not give any in-depth information about the situation, which was criticised by GPs.

“We are working closely with the relevant authorities and independent cyber security specialists and we will provide updates through formal statements as further information is confirmed,” Ramayah said initially.

This afternoon he provided the Herald with further details on the breach.

“Since we were alerted, our team has been working very hard to ensure that the application is secure,” he said.

“We believe the incident has been contained and we have engaged independent international forensic consultants to further verify the solution we have put in place and determine the extent of the data that is affected.

“Based on our investigations to date, we believe between 6 and 7% of the approximately 1.8 million registered users may have been affected by this incident.”

That equates to between 108,000 and 126,000 users.

Ramayah said ManageMyHealth had “begun analysis to identify users affected”.

“As you can appreciate, this is a complex exercise, and we expect to start notifying those affected within the next 48 hours.”

He said the Privacy Commissioner had been notified and was working with ManageMyHealth to meet its obligations under privacy legislation.

The police and Ministry of Health had also been notified and Ramayah said he was “engaging” with the agencies “and other organisations” to co-ordinate a response.

“We recognise that any incident involving health information can cause anxiety and distress,” he said.

“People rightly place a high level of trust in systems that hold their health data, and we understand the concern this situation may create for patients, providers and partners.

“We want to thank users and the sector for their patience while a complex investigation continues.”

The matter has been reported to the police, Privacy Commissioner, Ministry of Heath and other agencies.

Ramayah said to support patients and providers, ManageMyHealth would provide a detailed FAQ to “help resolve their questions where possible”.

“To ensure your online security, we strongly recommend you read the guidelines provided by the Own Your Online website.”

He said ManageMyHealth took its obligations to data security seriously.

“We understand how personal and sensitive health information is, and we recognise the stress an incident like this can cause,” he said.

“Our team is working hard to identify those affected, and to communicate directly and transparently.

“Manage My Health will provide a further update at 3pm tomorrow [January 2].”

Earlier today, GPs criticised the lack of information.

College of GPs president Dr Luke Bradford told RNZ he only learned about the potential breach through the media.

“It’s terribly disappointing. They’re an absolutely key tool that we use for patients. It allows patients to access their records and better manage their health, literally,” he said.

“But if their data’s not safe, then their very personal information is not safe, and that’s really concerning.”

It was “terrible timing”, with most practices closed for four days, he said.

“We’re going into this period without any formal communication about what’s involved in the breach and what can be done about it.”

General Practice NZ chairman Dr Bryan Betty agreed the situation was worrying.

“Health data in terms of patients is incredibly important and any breach like this has to be taken extremely seriously and has to be actioned as a matter of urgency,” he said.

“There should be obviously free and open transparency about the situation and what’s actually happened, both for patients and practices that use the ManageMyHealth portal.

“So I would expect that to be part of their management of the present situation.”

Anna Leask is a senior journalist who covers national crime and justice. She joined the Herald in 2008 and has worked as a journalist for 20 years with a particular focus on family and gender-based violence, child abuse, sexual violence, homicides, mental health and youth crime. She writes, hosts and produces the award-winning podcast A Moment In Crime, released monthly on nzherald.co.nz