Looks like my medical centre has blocked requesting repeats via the app. 

Were electronic health records (EHR) an area the government was looking to ultimately take over especially with COVID-19 immunisation record / test results and all that? I feel that would have put a damper on private investment in these patient portal services.

I recall was a lot of governance and regulatory work put in during the late 2000s and early 2010s by the likes of National Health IT Board to the point it delayed the introduction of such patient portal services. Certainly the past 5 years it looks like eyes have been taken off the ball and focus turned to other areas such as virtual/remote GP consults instead.

MikeB4:

 

Our medical center has been open and only closed on Christmas Day and Boxing Day. My point is the medical center partners should have been advised immediately MMH became aware. MMH appear to have gone into fiscal damage control and given partners and users a much lower priority. 

 

I would say many GP practices whose role is to provide medical care to their patients with what little resources they have, simply don't have the IT skills in-house or available at this time of the year, to quickly add a message to their website if they have one, or get an explanatory email out to their patients.

It's possible the Ministry has instructed them directly, to hold off until they are cleared to do so, so that consistent messaging happens from all health providers.

I feel really sorry for the receptionists in these practices who will likely be fielding calls from angry, confused and upset patients.

"Our patient portal is MyIndici 2.0 which is not connected with Manage My Health."

Above is part of an email I received today from my medical centre.

They didn't mention that they changed from MMH to MyIndici last year so many of their patients could be affected by the breach. I have emailed them to notify them of this oversite.

I can't help but feel like this level of attention and public backlash wasn't present for the Waikato DHB and Tu Ora breaches. With the Waikato breach potentially being 80,000 people and The Tu Ora breach potentially had 1 million people's records at risk. Both incidents had a similar level of messaging (or lack thereof). Tu Ora if memory serves me took ~2weeks from breach to public notice

MikeB4:

 

Our medical center has been open and only closed on Christmas Day and Boxing Day. My point is the medical center partners should have been advised immediately MMH became aware. MMH appear to have gone into fiscal damage control and given partners and users a much lower priority. 

 

MMH almost certainly have invoked their Cyber Protection Insurance Policy. It's very standard that to limit their liability, and as part of the terms of the payout under their policy, comms must be run through the Insurer or it's agent (in this case a PR firm), and MMH are almost certainly forbidden from passing on any information until the situation is deemed "under control". 

It's less a case of lack of willing, and more a case of what they are bound to, by the contract they signed with their insurer. Failure to do so would put their coverage, and then by extension, any payments that the Insurer is required to make to victims at risk.

Surely they could issue a statement saying that? It is the lack of any communication that upsets people.

As someone who has been both sides of this, that isn't how it works, even though for the consumer it may provide some information (which at this relatively early stage could be incomplete or inaccurate, which would ultimately be more confusing and upsetting). There is a lot going on behind the scenes including fully understanding the breach point, what new access the bad actors have installed or discovered, forensics across many systems (designed to confirm the width and breadth of the incursion and any data accessed or exfiltrated), interviews, and carefully prepared messaging designed to limit the liability of the insurer, the insured, and ultimately, the integrity of the process if legal action is required, either in defence or otherwise. 

If the incident response teams get any part of this wrong, the bad actors could gain access to even more information and ultimately put the patients, and their data at even more risk.

From experience the insurance company will be trying to cover their ass, but that also covers yours believe it or not. My experience with insurers in these types of incidents has been that they let qualified people do their work. They are professionals.

I know it's difficult, but I'd encourage patience and to not jump to conclusions or to attribute to malice what more likely has other explanations.

Insurers specifically tell their customers during a breach response to make no mention of insurance. Once the bad actors know the insurance company is involved, with their far far deeper pockets, guess what happens to the ransom? 

Today's update https://managemyhealth.co.nz/mmh-cyber-breach-update-5-january-2026/ says:

To protect patient data and confidentiality, Manage My Health has today been granted injunction orders from the High Court preventing third parties from accessing any data posted as a result of the incident.

We have an international team monitoring known data leak websites and are prepared to issue takedown notices immediately if any information is posted.

That will be good, if they can succeed on servers located in foreign jurisdictions.

networkn:

 

 

 

MMH almost certainly have invoked their Cyber Protection Insurance Policy. It's very standard that to limit their liability, and as part of the terms of the payout under their policy, comms must be run through the Insurer or it's agent (in this case a PR firm), and MMH are almost certainly forbidden from passing on any information until the situation is deemed "under control". 

 

It's less a case of lack of willing, and more a case of what they are bound to, by the contract they signed with their insurer. Failure to do so would put their coverage, and then by extension, any payments that the Insurer is required to make to victims at risk.

 

 

 

 

 

In item (2) in the FAQ for the cyber attack MMH state to the question "2. Is the Manage My Health platform safe to use?..."Yes. The unauthorised access has been contained, and the platform remains operational, and we continue to monitor our systems closely."

With that I see no resaon not to communicate to partners and users. 

MikeB4:

 

In item (2) in the FAQ for the cyber attack MMH state to the question "2. Is the Manage My Health platform safe to use?..."Yes. The unauthorised access has been contained, and the platform remains operational, and we continue to monitor our systems closely."

 

With that I see no resaon not to communicate to partners and users. 

 

Because that is one part of many parts which are required to be completed? Law enforcement will be acting behind the scenes, professional negotiators may be involved, and anything said at this stage could be inaccurate, incomplete or just flat out wrong. 

geek3001:

 

That will be good, if they can succeed on servers located in foreign jurisdictions.

 

Local Authorities will co-operate and most hosting organisations will voluntarily act to take down data of this nature in almost every instance. Since the inception of ransomware, there have been protocols for this type of thing, there is a high level of co-operation. Not in every instance obviously, but it's getting better and better all the time.

networkn:

 

Because that is one part of many parts which are required to be completed?

 

I spent many years in senior management and in my opinion they are playing the slow down game to cover their butts and they don't give a toss about New Zealand, their partners and users."

I don't care about "many parts" I do care about my wellbeing my safety and my wifes safety. On advice I have moved all my medication out of my home. The stress of this is having a real impact on my anxiety and health. This incident is not just a fascinating IT incident it has a real impact on peoples lives and wellbeing.

edit; I have edited this post by request

networkn:

 

Local Authorities will co-operate and most hosting organisations will voluntarily act to take down data of this nature in almost every instance. 

 

Fair point, for NZ and friendly countries.

What about "unfriendly" countries and the remaining instances? That's where the data will be available from.

Will the injunction require ISPs to block access to said sites?

Apologies if I sound argumentative, that is not my intention.

I'm just very fearful that the data will be out there for those that wish to go get it and then misuse it, with it probably being refreshed from the dark web.

In that sense the damage is done and there is quite possibly no solution unless appropriate international authorities can help to conclusively take down every instance that appears.

MikeB4:

 

I don't care about "many parts" I do care about my wellbeing my safety and my wifes safety. On advice I have moved all my medication out of my home. The stress of this is having a real impact on my anxiety and health. This incident is not just a fascinating IT incident it has a real impact on peoples lives and wellbeing.

 

You should take whatever steps make you feel safe. 

Unless you have experience with something like this specifically (Which I have), then you aren't really helping yourself by making assumptions or accusations.  It's in your best interests that the professionals do this the way they have proven works best many times before. 

Your interests are likely more closely aligned with the insurers than you might think.