General practitioner (GP) clinics are working quickly to inform their concerned patients about the aftermath of the Manage My Health ransomware attack, which has put hundreds of thousands of highly sensitive records at risk.
In their most recent update at 5pm on Wednesday, the company stated that they would start notifying affected patients within the next 24 hours and aim to complete this process by early next week.
Notifications will be initially sent via email to the address used to register the account, and will include a helpline number for support and assistance.
Manage My Health has been working closely with Health New Zealand, the Office of the Privacy Commissioner, General Practice NZ, and GP practices to ensure that patients receive clear and consistent information and do not receive multiple or confusing notifications about the same incident from different organizations.
Despite this, some patients have already been directly contacted by their healthcare providers to confirm that their documents were compromised.
There are questions raised by some patients about why practices did not conduct more thorough checks themselves, especially after it was discovered that the portal retained patient records even after they switched providers.
One woman from Wairarapa shared her experience with RNZ, stating that she was previously told by her practice that her records would have been archived and deleted when she changed providers a year ago. However, when she checked the Manage My Health app, she found all her information was still there.
Concerned about the potential misuse of the stolen information for financial scams and identity fraud, she emphasized the vulnerability of her community, particularly elderly residents who may be affected without realizing it.
Amid the mixed messages from clinics, Manage My Health’s owner and chief executive, Vino Ramayah, explained that patient consent is required before historical data can be deleted, even if patients change doctors or terminate their contract with a GP.
Several clinics have been posting different online messages since news of the cybersecurity breach, with some reassuring patients that their records are safe, while others advise caution and provide guidance on changing passwords and enabling two-factor authentication for added security.
Patients are also warned to be wary of scams and to avoid sharing passwords or verification codes with unknown sources.
As the situation continues to unfold, clinics are working with IT security providers and Manage My Health to ensure the safety and security of patient data, while also preparing to notify affected individuals and provide necessary support.
Concerns Raised by Patients
One patient in Wellington, who chose to remain anonymous, expressed his worries after a healthcare provider confirmed that his documents were among those stolen by hackers.
According to the patient, the practice manager had instructed Manage My Health to delete his records once the migration to another provider was complete, but this was not done. Upon checking, he found over 200 of his documents still accessible on Manage My Health.
He emphasized the sensitivity of his claim and the potential risks to his life if unauthorized individuals gained access to his details. He shared his frustration, stating that he knew others who were also feeling fearful.
“We’ve got the government trying to push for centralised medical storage that anyone anywhere in the country can access and I’m like ‘Hell no, over my dead body’.”
Another patient expressed disappointment in the lack of communication from her practice regarding the hacking incident.
“I’m highly disappointed in not only the hacking, but the deafening silence from my doctors and from Manage My Health. I found out this had happened via a Facebook group where someone had shared a news article about it.”
