Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsHealth and fitnessMediMap data accessed
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
geek3001
220 posts

Master Geek
+1 received by user: 330

ID Verified
Subscriber

  #3464528 25-Feb-2026 10:40
Send private message quote this post

evnafets:

 

In terms of severity, I would term it low impact.  

 

 

Yes and no. There was a report yesterday of one large retirement village's care centre being thrown into disarray, as they did not have access to electronic medical records for their residents which meant they had to resort to manual dispensing of medicines all of which took much longer and created serious risks to residents. That situation would not be low impact.

 

Depending upon the database schema, I shudder to think what could have happened if not only patient's names had been edited, but also other specific patient data such as their NHI etc had been changed, that would leave records effectively useless as it might be difficult to then positively identify which defaced records belonged to which patient, orphaned records if you like.

 

I am assuming that their system may be subject to a restore from a known point in time before the intrusion, may be not.



PolicyGuy
1820 posts

Uber Geek
+1 received by user: 1769

ID Verified
Lifetime subscriber

  #3464542 25-Feb-2026 11:23
Send private message quote this post

granada29:

 

According to MediMap, the bad guy stole/misused the credentials of a single person. It's pretty hard to see how this resulted in the ability to change the details for other users of the system.

 

All these health portals should be subject to strict security audits on a regular schedule.

 

As I said on the MMH thread, we badly need to move to a regime where providers of health information services are to be licensed by Te Whatu Ora / NZ Health, and the license conditions include regular information security audits (and personnel security & physical security audits), with the audits being conducted by government approved providers - no 'marking your own homework'.

 

Yes, it will be more expensive. Yes, it may put some existing providers out of business if they can't or won't meet the criteria.
Too bad: this is personal health information, IMO it needs to be protected to at least the same level as national security information classified at RESTRICTED.

geek3001
220 posts

Master Geek
+1 received by user: 330

ID Verified
Subscriber

  #3464552 25-Feb-2026 11:31
Send private message quote this post

PolicyGuy:

 

granada29:

 

According to MediMap, the bad guy stole/misused the credentials of a single person. It's pretty hard to see how this resulted in the ability to change the details for other users of the system.

 

All these health portals should be subject to strict security audits on a regular schedule.

 

As I said on the MMH thread, we badly need to move to a regime where providers of health information services are to be licensed by Te Whatu Ora / NZ Health, and the license conditions include regular information security audits (and personnel security & physical security audits), with the audits being conducted by government approved providers - no 'marking your own homework'.

 

Yes, it will be more expensive. Yes, it may put some existing providers out of business if they can't or won't meet the criteria.
Too bad: this is personal health information, IMO it needs to be protected to at least the same level as national security information classified at RESTRICTED.

 

 

I agree.

 

What's happening behind the logon screen must be far more robust and secure.

 

This is especially true when the logon process for users is dumbed-down somewhat to a level where those with less experience and often low-confidence in using a computer, are still able to access their information rather than prevented by functionality they struggle to understand.

 

I have dealt with and helped people who don't or can't understand that writing down an OTP delivered by whatever method "in case I need it again in the future" is pointless as that info is valid only for a few minutes.



gzt

gzt
18674 posts

Uber Geek
+1 received by user: 7809

Lifetime subscriber

  #3464615 25-Feb-2026 12:06
Send private message quote this post

PolicyGuy: Yes, it will be more expensive. Yes, it may put some existing providers out of business if they can't or won't meet the criteria.

I have some peripheral knowledge of costs. Competent security assessment is not expensive. Just a normal cost of doing business.

Rikkitic
Awrrr
19062 posts

Uber Geek
+1 received by user: 16302

Lifetime subscriber

  #3464616 25-Feb-2026 12:11
Send private message quote this post

NZ security failures

 

I am in no way a security expert of any kind, but I am also not entirely lacking minimal common sense. More than once I have run up against supposed IT security people when I disputed their imposed methods of protecting passwords. You know, the usual random letters with numbers, upper case, non-alphabet characters, etcetera. 

 

This blind insistence on a particular password style is frankly stupid. Most people, especially older people, can’t remember all that nonsense so what do they do? They write it down, of course! What can be more insecure than that?

 

“The most authoritative and widely recognized guideline for passwords is from the U.S. National Institute of Standards and Technology (NIST), specifically the NIST Special Publication 800-63B "Digital Identity Guidelines." Recent versions of these guidelines emphasize password length over complexity and explicitly recommend not imposing composition rules like mandatory uppercase letters, numbers, and symbols. Instead, NIST advises: 
·    Minimum length of 8 characters (user-created) 
·    Allowing all ASCII and Unicode characters, including spaces and emojis 
·    Checking passwords against lists of commonly compromised ones 
·    Eliminating mandated complexity requirements because they often lead to predictability and poor password choices 

 

“There is no single international standard mandating uppercase, number, and special character requirements as a rule. Many websites still use this policy because of legacy practices or perceived security benefits, but modern best practice as recommended by NIST and supported by organizations like OWASP is to favor longer, user-friendly passphrases without forced complexity. 

 

“So, while complexity rules are common in password policies, they have no formal universal name or international standard backing, and the current trend in cybersecurity is moving away from strict composition requirements toward promoting long, memorable, and checked passwords.”  

 

 




Plesse igmore amd axxept applogies in adbance fir anu typos

 


 

andrew75
150 posts

Master Geek
+1 received by user: 80

ID Verified

  #3464618 25-Feb-2026 12:21
Send private message quote this post

 

 

In terms of severity, I would term it low impact.  

 

 

 

 

Only because of luck.  If the hacker had been truly nefarious they could have changed prescribing data - altered doses of medication, stopped and started medication.  Could easily have resulted in sick or dead patients.  Dispensing nurses could have easily not noticed something was up.

 
 
 
 

Shop now for Lenovo laptops and other devices (affiliate link).
evnafets
567 posts

Ultimate Geek
+1 received by user: 269

Trusted
Lifetime subscriber

  #3464670 25-Feb-2026 12:40
Send private message quote this post

Good point. 

 

I was originally making that statement thinking that because it was probably a 'human' factor involved, the system itself might not be that vulnerable (SQL Injection, bugs, invalid rights escalation etc) 
Those sorts of vulnerabilities may or may not be there - according to the information they were not used in this attack. 

 

That means the user was limited to operations the system would 'let them' perform.   

 

If instead the 'hacker' got system access to the file system etc, they could 'use SQL to corrupt their databases' - which could potentially be even more damaging. 

 

So on a scale of 1 to 10, how impactful was this?  (Relevant XKCD comic).  

 

That being said, even an impact of 1 could be quite severe. 

gzt

gzt
18674 posts

Uber Geek
+1 received by user: 7809

Lifetime subscriber

  #3464674 25-Feb-2026 12:57
Send private message quote this post

Quoting the original article:

Adam Burns of Blackveil, expressed concern to Stuff about the level of security at the platform. “These guys make Manage My Health look like Fort Knox,” he said.

There is more information on the blackveil blog. The exact points of comparison used to form the view above are not specified at this time:

https://www.blackveilsecurity.com/blog/medimap-breach-analysis-2026-02-24


wellygary
8810 posts

Uber Geek
+1 received by user: 5287


  #3464690 25-Feb-2026 13:34
Send private message quote this post

And now they're seeking urgent court injunctions to prevent the sharing and publishing of any data they have obtained...

 

So, we've quickly gone from changing patients details to presumably large scale data theft...

 

The company says the injunction being sought would prohibit anyone from accessing, using, copying, sharing, or publishing any MediMap data that may have been unlawfully obtained, and would seek to limit any further spread of that information online.
https://www.stuff.co.nz/nz-news/360943353/medimap-seeks-urgent-court-injunction-over-data-breach-material

 

 

 

Although the thing that baffles me is that these companies manage to actually get medical business to sign up with them...
Their tag lines are straight out of the Venture capital playbooks, .. revolutionise... innovative... I mean this sounds just like Theranos,  and really most customers would be happy if these places were steady, secure and reliable...

 

Just leave the revolutions to the tech bros who want to "move fast and break things"

 

"At MediMap, we are dedicated to revolutionising the way medication data is managed. Our mission is to to build an innovative shared care medication management platform which facilitates better health outcomes for all."
https://www.medimap.co.nz/

 

 

 

 

geek3001
220 posts

Master Geek
+1 received by user: 330

ID Verified
Subscriber

  #3464697 25-Feb-2026 13:42
Send private message quote this post

gzt: Quoting the original article:

Adam Burns of Blackveil, expressed concern to Stuff about the level of security at the platform. “These guys make Manage My Health look like Fort Knox,” he said.

There is more information on the blackveil blog. The exact points of comparison used to form the view above are not specified at this time:

https://www.blackveilsecurity.com/blog/medimap-breach-analysis-2026-02-24

 

If the Blackveil review is to be relied upon (grain of salt, etc), it is interesting that the quoted report "Spark Digital: MediMap Infrastructure Case Study" as referenced in Blackveil's review and noted in the Sources, is currently not available at the specified URL (access attempt yields the result "404 Error - The path /error/.html could not be found").

 

 

 

 

One wonders if the URL is wrong (bad look for Blackveil) or that Spark Digital's report was indeed previously available and has now been removed given the breach that has occurred.

clinty
1201 posts

Uber Geek
+1 received by user: 402

Lifetime subscriber

  #3464713 25-Feb-2026 14:15
Send private message quote this post

Blackveil is being a wee bit disingenious 

 

That case study PDF is in Wayback Machine, and looks like it was first uploaded in 2019, so three years before the PHP went EoL

 

It's possible they no longer use Spark Digital or that secured platform 

 

That being said, they have found some big security holes with the existing setup

 

 

 

Clint

 
 
 
 

Support Geekzone with one-off or recurring donations Donate via PressPatron.
bumbledore
2 posts

Wannabe Geek
+1 received by user: 4

ID Verified

  #3474871 29-Mar-2026 08:17
Send private message quote this post

Here's an update. I was at a conference recently where the product director spoke. It is still maintained that a malicious actor compromised a login  did some naughty things, and then left. 

 

They've asked everyone to reset their passwords to a new, minimum 10 character, alpha-numeric string. I did it while she was talking. I was able to use the SAME PASSWORD pre-hack as my "new" post-hack password. Um....

 

Their PHP 7.4 is using third-party support and this seems sufficient to them. Probably is OK, but the costs of replatforming cannot be avoided for eternity.

 

I asked how it was sensible that the same password could be reused. I was initially told that shouldnt have been possible. She discussed with the security team and gave me the following feedback: they have deleted the stored passwords pre-hack (presumably hashes), so don't know if people are reusing the same passwords. No one thought to blacklist. Instead they shift-deleted. Over 80% of users were using passwords of < 10 characters pre-hack, so "they wouldn't be able to use those same passwords with the new 10 character minimum spec". 

 

Human nature is predictable. If my old PW was BillyBoy, and it now needs to be 10 characters, the new PW is likely to be the old one with .1 bolted on, or some other predictable string of 2 characters.

 

Even worse, is that there is STILL NO 2FA. A platform concerning private, confidential, manipulable data is still being protected by single-factor authentication. The reason given was that its too difficult to ensure all staff members using the platform have access to an authentication device / app, so it won't be added as a feature. I kid you not. 

 

Until these companies are hit where it hurts (their profits), they will continue to play loose and fast with our personal and private data.

geek3001
220 posts

Master Geek
+1 received by user: 330

ID Verified
Subscriber

  #3474886 29-Mar-2026 09:46
Send private message quote this post

bumbledore:

 

Until these companies are hit where it hurts (their profits), they will continue to play loose and fast with our personal and private data.

 

 

In my opinion, financially penalising a company achieves very little, as that really only penalises the company's customers who are the source of that company's income.

 

It is the company's directors and the company's CEO who need to be significantly penalised financially.

 

Our company law is too weak in this regard and needs updating.

gzt

gzt
18674 posts

Uber Geek
+1 received by user: 7809

Lifetime subscriber

  #3474889 29-Mar-2026 09:55
Send private message quote this post

bumbledore: Until these companies are hit where it hurts (their profits), they will continue to play loose and fast with our personal and private data.

There's a worse problem. In many cases it is extremely hard to effectively change providers. Until there is a standard interchange and behaviour that is going to continue. Apparently the there was a project running to achieve that. But, cancelled by the income government.

boosacnoodle
1269 posts

Uber Geek
+1 received by user: 855


  #3474892 29-Mar-2026 10:13
Send private message quote this post

If the passwords were truly hashed, it’s unlikely that they would have known the lengths. Of course they may well have stored this separately as part of setting the passwords but it does make you wonder. 

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright