ManageMyHealth Data Breach

Forums › Health and fitness › ManageMyHealth Data Breach

1 | ... | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | ... | 29

221 posts

Master Geek
+1 received by user: 331

ID Verified

Subscriber

#3449946 5-Jan-2026 12:35

Rikkitic:

This company has lost its right to represent anyone's health interests.

I tend to agree.

The problem is, what can replace them?

Will it be any better or less of a risk?

If lots of people who care about their private medical info security demand that their medical info no longer be handed over to third-party providers like MMH by their GP practice, then what happens?

Would the GP practices then have to on-board this stuff and do it themselves?

Would they have the capacity to do so, if so, at what cost to them and ultimately we the patients?

Will doing it in-house be any more secure?

This breach is an eye-opener and could develop into a rather large can of worms in some respects.

raytaylor

4076 posts

Uber Geek
+1 received by user: 1296

Trusted

#3449947 5-Jan-2026 12:49

geek3001:

Will it be any better or less of a risk?

I remember walking into a doctors office when we took over their IT about 2010ish when I used to do business IT
I noticed that the doctors would terminal services in from home, into a small business server.

That same server hosted the SQL database for mypractice or medtech32 - i forget exactly which PMS they were using. And had the patients file attachment data folder.

Port 3389 was left wide open - we were no longer going to have any of that so I shut that right down.

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

raytaylor

4076 posts

Uber Geek
+1 received by user: 1296

Trusted

#3449948 5-Jan-2026 12:51

duckDecoy:

I imagine they won’t ruin their reputation for a mere 60k, if they reneg after being paid nobody would ever pay their ransoms again.

The problem is that if they pay, then that hacker group will go and hack someone else and hold them to ransom.
Thats why its illegal in many countries to pay a ransom because it just encourages the hackers to do it more.

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

larknz

1978 posts

Uber Geek
+1 received by user: 382

ID Verified

Lifetime subscriber

#3449953 5-Jan-2026 12:57

geek3001:

Rikkitic:

This company has lost its right to represent anyone's health interests.

I tend to agree.

The problem is, what can replace them?

Will it be any better or less of a risk?

Our GP uses MyIndici, although I don't know if this is better or worse.

geek3001

221 posts

Master Geek
+1 received by user: 331

ID Verified

Subscriber

#3449955 5-Jan-2026 12:58

lurker:

@Rikkitic There's a FAQ linked on the main page that tries to answer all questions.

Have MMH actually grasped one elephant in the room being the seriousness of the situation that their mis-management of private data has potentially put some people in?

Having various reports and documents with personal details scattered across the Internet could be life-changing or even life-threatening for some people.

Then we have a report that there are photos in the exfiltrated data of scantily dressed people taken during annual skin checks. What happens if they are correctly name matched and appear on websites via standard searches? I fall into this category, so am very interested in whether I'm affected.

MMH need to be held accountable, as do the Ministry of Health as they and the Minister of Health are ultimately responsible for this breach by delegated authority. I doubt however that we have any suitable laws in NZ to do so.

I also believe a miracle will be needed to remove data that is made public via servers located in foreign jurisdictions.

geek3001

221 posts

Master Geek
+1 received by user: 331

ID Verified

Subscriber

#3449956 5-Jan-2026 13:01

raytaylor:

Port 3389 was left wide open - we were no longer going to have any of that so I shut that right down.

Scary, but oh so true. If I had a dollar for each time I had encountered this elsewhere years ago, well, a lot of bills could have been paid.

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

gzt

18689 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#3449959 5-Jan-2026 13:22

It's not unusual for real security to take a backseat to business demands and pressures. Large privacy negligence fines are really the only business incentive against business driven negligence.

Probably there should be some standard security audit requirement for any business with customer data. Practical audit costs can be easily massively reduced with reduction in surface area and adoption of appropriate technologies. Even so, tricky thing to specify in law but not entirely impossible.

geek3001

221 posts

Master Geek
+1 received by user: 331

ID Verified

Subscriber

#3449960 5-Jan-2026 13:32

gzt: It's not unusual for real security to take a backseat to business demands and pressures. Large privacy negligence fines are really the only business incentive against business driven negligence.

Agree, with if I may, a caveat for clarity.

I would argue that it is not the business that should be fined or prosecuted, it's the directors and the CEO of the business who should be fined and/or face custodial sentences.

Fining the business itself really only ends up penalising the source of income for the business - we the customers. The directors and CEO might have their names dragged through the mud, but that's about all, unless they have their tenure terminated, still not much of a penalty.

Unless or until the people governing and managing businesses personally feel the affects of properly enacted laws (without the affect of liability insurance), there will be no real penalty.

Putting that higher level of accountability in place will go a long way toward ensuring that things that must be done properly, actually get done properly.

PolicyGuy

1821 posts

Uber Geek
+1 received by user: 1772

ID Verified

Lifetime subscriber

#3449962 5-Jan-2026 13:36

geek3001:

Rikkitic:
This company has lost its right to represent anyone's health interests.

I tend to agree.
The problem is, what can replace them?
Will it be any better or less of a risk?

I think the underlying problem is that this is AIUI a "pure" completely unregulated market - anybody can set up a "Patient & Provider Portal" and provide a patient & medical practice data management service. They can claim to be (and might actually be) as 'safe' and 'properly secured' as they like, and nobody has any responsibility to see if the claims are well founded , based on a complete misunderstanding of the requirements, or made recklessly or even fraudulently. The only validation of claims of safety & security will happen in a post mortem investigation after there has been a catastrophe**.

I think that the Director General of Health should introduce a licensing routine for any holder of personal medical information.
The licensing regime would apply to all such information holders, so Health NZ / Te Whatu Ora and its various organisations would also have to comply. Licensees would not only have to be, and employ, persons of good reputation (i.e. Police checks), but also subject to mandatory security reviews and audits (including penetration testing) of their systems to ensure that all reasonable measures are being taken to mitigate or eliminate risks of loss, corruption or unauthorised exposure of patient data.

Unfortunately, I don't expect this to happen because it would be politically opposed as being "Nanny State interference with The Market", and also because there would be deep concerns that big chunks of the public sector health informatics sector would fail the licensing tests and would cost a great deal of money to fix.
Sigh

** Like most Enquiries into catastrophic events in NZ, I would expect that the eventual report would find that the problems were 'systemic', that no individuals or companies were to be held responsible, and nobody would be sanctioned or fined, let alone sent to prison. It's The kiwi Way. 😡

gzt

18689 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#3449964 5-Jan-2026 13:44

Kazu is in the wrong business. Security auditing pays better and has guaranteed annually recurring revenue.

gzt

18689 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#3449967 5-Jan-2026 13:51

geek3001: I would argue that it is not the business that should be fined or prosecuted, it's the directors and the CEO of the business who should be fined and/or face custodial sentences.

I tend to agree. It really is that serious. There really is no way to estimate the lifetime damage that could be done by data of this nature in ways that we cannot anticipate today.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

gzt

18689 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#3449970 5-Jan-2026 14:06

Almost any comprehensive guide to security best practice these days recommends implementation of a bright hat security weakness bounty process as one part of a comprehensive strategy to stay one step ahead of dark hat hackers. Bright hat security bounties are now best practice to such an extent that they have their own ISO 27001 section dedicated to their correct process implementation.

imd6662

134 posts

Master Geek
+1 received by user: 22

#3449971 5-Jan-2026 14:10

Some interesting questions unanswered here.

My own GP practice were using MMH but recently switched to Indici, for whatever reason.

Checking the MMH app of course showed my (non-pictorial, sorry chaps) data there, which I've now deleted and closed the account. So it seems that the practice didn't remove this when they swapped. But why should they? After all, presumably when you sign up to the portal app, YOU are accepting the T&Cs and, by association, the rise, even if effectively you are compelled to by your practice. Presumably there is something, somewhere that also covers off you agreeing to your practice storing your data this way?

So who's actually responsible? Is it the software provider? Is it the practice (and so perhaps your GP as the owner/director)? Or is it you?

geek3001

221 posts

Master Geek
+1 received by user: 331

ID Verified

Subscriber

#3449980 5-Jan-2026 14:33

imd6662:

So who's actually responsible? Is it the software provider? Is it the practice (and so perhaps your GP as the owner/director)? Or is it you?

My $0.02... the day-to-day operational responsibility and accountability for the service delivery from MMH sits with the CEO. They should then be accountable to the company's directors.

Given this is a specific public health service, the directors (and CEO) should then ultimately be responsible to the government, ie: to the Minister of Health and the Prime Minister.

That of course assumes the "buck stops at the CEO's desk" and accepted company governance guidelines apply.

Please correct me if I'm wrong, NZ Company Office records suggest that here in NZ, MMH ownership is via a structure of three companies with three directors in total, one of whom is the CEO and ultimately the owner of the parent company Cereus Health Group Ltd. Looks like a small number of people to be held accountable should that be deemed appropriate.

gzt

18689 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#3449986 5-Jan-2026 14:42

imd6662: So who's actually responsible? Is it the software provider? Is it the practice (and so perhaps your GP as the owner/director)? Or is it you?

Imo you're asking a legal question. To some extent that is defined by NZ privacy law and case law around duty of care. But no, it's not you, and there are many duties that parties cannot legally opt out of with crafty sign up EULAs although they may well try ; ).

1 | ... | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | ... | 29