Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsHealth and fitnessManageMyHealth Data Breach
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | ... | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | ... | 29
cddt
1973 posts

Uber Geek
+1 received by user: 1906


  #3450516 7-Jan-2026 09:57
Send private message quote this post

Bung:

 

"I kept records from a while ago poking around this exact feature of the website and toying around with it because I noticed odd behaviour especially with how it was renaming files."

 

Maybe if you'd persued your earlier concerns with MMH this could have been closed off then.

 

 

Except I doubt MMH would have taken him seriously or even bothered to respond. There's also a non-zero chance they could have taken him seriously, but accused him of hacking and opened a case with the police... 




My referral links: BigPipeMercury



networkn
Networkn
32873 posts

Uber Geek
+1 received by user: 15475

ID Verified
Trusted
Lifetime subscriber

  #3450519 7-Jan-2026 10:02
Send private message quote this post

michaelmurfy:

 

@networkn agreed, but the general rule is don’t pay. This breach was pretty small but now they’ve painted a target on NZ (and especially NZ Health) which could mean the next breach could be bigger and cause more harm to individuals.

 

 

Health NZ is already a gold target, and they should be ready for such an incursion (and are hopefully far more prepared). Hopefully, MMH will be now or shortly.  Either way, these are theoritcal scenarios, whereas they MMH scenario is 100% real and immediate. 

 

It may have been a small breach, but not a small consequence. 

 

For the record, whilst it looks like the ransom was paid, there is a small chance this was resolved a different way. I have seen ransoms negotiated to nothing in the past by pressure being applied in a different way. 

 

 

 

 

alasta
6891 posts

Uber Geek
+1 received by user: 3365

Trusted
Subscriber

  #3450525 7-Jan-2026 10:47
Send private message quote this post

Garmin Connect was subject to a ransomware attack back in 2020 and it is rumoured that the ransom was paid, but this was never confirmed as Garmin presumably wouldn't have wanted to look like a soft target. 

 

We might never know whether MMH have ultimately paid the ransom or not. 



xpd

xpd
Geek of Coastguard
14116 posts

Uber Geek
+1 received by user: 4579

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #3450531 7-Jan-2026 11:07
Send private message quote this post

networkn:

 

xpd:

 

Yup, I'm dreading the day when I get the 3am page........  

 

 

Make your 2026 New Years Resolution to make a DR plan to cover you, so you don't need to worry about not thinking clearly in a crisis. Put the numbers of all the important people somewhere offline, along with your insurance policy numbers. AI is actually really good for helping with this, and because of that, there is no excuse for people to not have a plan in 2026. 

 

Assume the worst case will eventute, and you'll have access to none of your digital resources, and work backwards from there. 

 

Involve your stakeholders if you can. Make sure that the plan is ALSO offline (I have seen this before!) and that the top 3 people in your firm can get to it. 

 

The plan should be straight forward enough that if you aren't available, someone non-technical can still provide the people who will be helping, with what they need.

 

 

 

 

Yup, DR plan already in place with exercises taking place :)

 

I still don't want the call though :D

 

 




XPD / Gavin

 

LinkTree

 

 

 

dc2daylight
88 posts

Master Geek
+1 received by user: 25


  #3450533 7-Jan-2026 11:22
Send private message quote this post

geek3001:

 

michaelmurfy:

 

It looks like they’ve paid the ransom. The breach is now gone from their Telegram and Website…

 

 

I was actually hoping that the authorities might have tracked down the culprit and dealt with matters.

 

However if the ransom has really been paid, we will look forward to confirmation.

 

We do not want to hear that the culprit received a better offer.

 

I hate to say it, unless we get an absolute assurance that the leak has been fulled contained, we may have to face the reality that the data is still out there.

 

 

 

 

 

 

If the breach exfiltrated sample data is gone (I've not checked it myself), it is because apparently they're currently in 'negotiations' with the company itself.

 

"On Sunday at 5.37am (NZ time), the hackers demanded the company pay within 48 hours, or else they would leak “everything they have”.

 

That deadline passed at 5.37am on Tuesday morning. The group told The Post they had entered negotiations with MMH and would “not share the files during the communication period,” and set a new deadline of 5am on Friday for a resolution.

 

Manage My Health has not said whether it would pay the ransom."

 

Source: https://www.stuff.co.nz/nz-news/360921194/manage-my-health-hackers-express-support-maduro-first-post-deadline-ended

 

Confirmed by RNZ (5 minutes approx before I finalise my GZ post currently): https://www.rnz.co.nz/news/national/583383/manage-my-health-hackers-removes-information-about-data-online

 

I'm seeing a distinct slowdown in NZ media coverage of this topic in a timely manner since yesterday evening, and it's very dissapointing! As I personally have data on MMH, as do vulnerable extended family members I am very concerned about how badly this is playing out so far. I agree with others here, that it's a horrific breach, authorities are not being transparent enough so far with us - the well informed and IT literate public so to speak, nor the regular non-IT-literate public either. 

 

RNZ have relevant articles tagged with "Health" if you want to stay on top of their story updates. See here: https://www.rnz.co.nz/tags/health

 

We need assurances that not only has this been fixed, but that it won't occur again, and that a government response will involve placing an embargo on the trading operations of the company at the very least. MMH should be handheld and supervised by Health NZ, and NCSC on a daily basis from this day onwards. https://www.ncsc.govt.nz/news/managemyhealth-mmh-cyber-security-breach-involving-patient-information/

 

Personally I have not been contacted by email or phone message, by the small sized GP clinic I am enrolled with, and nor have my extended family members been contacted by their much larger GP clinic. When I looked last night neither clinic had any update or information whatsoever about the MMH breach anywhere on their websites, or in their "news" sections. I will be calling both clinics to confirm when they can provide some assurance to us and their other patients later today when I get a chance. The sheer lack of communication just adds extra worry and stress for everyone. (Both clinics are well funded with enough patients and money to support expensive external IT support companies.)

 

I have an inlaw who is a partner in another large GP clinic elsewhere in NZ so will call that person later today and get their input on the situation, and update here accordingly.

networkn
Networkn
32873 posts

Uber Geek
+1 received by user: 15475

ID Verified
Trusted
Lifetime subscriber

  #3450541 7-Jan-2026 12:02
Send private message quote this post

dc2daylight:

 

We need assurances that not only has this been fixed, but that it won't occur again, and that a government response will involve placing an embargo on the trading operations of the company at the very least. MMH should be handheld and supervised by Health NZ, and NCSC on a daily basis from this day onwards. https://www.ncsc.govt.nz/news/managemyhealth-mmh-cyber-security-breach-involving-patient-information/

 

 

You'll never get an assurance of that nature. It's impossible to give assurances definitively like that. They can make statements that they are using x or y security standard or framework and are compliant within that.

 

Anyone who says so doesn't understand or is lying. Systems can be breached, people make mistakes, vulnerabilities exist in software. 

 

Without knowing the actual breach point, it's guess work to determine, and it's a little unlikely they will release that level of information. 

 

The best you can hope for is that MMH adopt more comphrensive security products, policies and that monitoring is configured so that IF a breach occurs the system is isolated and appropriate people are notified.

 

 

 
 
 
 

Shop on-line at New World now for your groceries (affiliate link).
alasta
6891 posts

Uber Geek
+1 received by user: 3365

Trusted
Subscriber

  #3450542 7-Jan-2026 12:07
Send private message quote this post

dc2daylight:

 

We need assurances that not only has this been fixed, but that it won't occur again, and that a government response will involve placing an embargo on the trading operations of the company at the very least. MMH should be handheld and supervised by Health NZ, and NCSC on a daily basis from this day onwards. https://www.ncsc.govt.nz/news/managemyhealth-mmh-cyber-security-breach-involving-patient-information/

 

 

It would be interesting if anyone with legal expertise has any insight into what regulatory authority government agencies have over privately owned companies that handle sensitive health records. If there is a gap in legislation then I'm sure it will come up in the formal review. 

wellygary
8816 posts

Uber Geek
+1 received by user: 5299


  #3450546 7-Jan-2026 12:28
Send private message quote this post

alasta:

 

It would be interesting if anyone with legal expertise has any insight into what regulatory authority government agencies have over privately owned companies that handle sensitive health records. If there is a gap in legislation then I'm sure it will come up in the formal review. 

 

 

In short, there is nothing with teeth... 

 

The only "health" specific "regulation" is the The Health Information Privacy Code (HIPC), but its a guideline document not an enforcement one, https://www.privacy.org.nz/privacy-principles/codes-of-practice/hipc2020/

 

The Privacy act is also pretty useless as it doesn't put any penalties on the data custodians in the case of a breach,,,

geek3001
223 posts

Master Geek
+1 received by user: 331

ID Verified
Subscriber

  #3450554 7-Jan-2026 12:57
Send private message quote this post

Rikkitic:

 

So what next? Everyone just goes silent and pretends it never happened? I have a lot of questions and I don't know where to ask them.

 

 

Speaking to your last sentence, I think we're going to need to wait to see what the result is of the review ordered by the Health Minister to start no later than the end of this month, assuming a meaningful report is released publicly.

 

In the meantime I'm noting down queries I have. If they are not answered or properly addressed in the public report, then I will likely send them to the Health Minister who also happens to be my MP. The buck stops with him as far as this matter is concerned and I'm fairly sure the PM will be wanting this matter properly addressed too.

zenourn
281 posts

Ultimate Geek
+1 received by user: 168

ID Verified
Trusted
DR

  #3450558 7-Jan-2026 13:25
Send private message quote this post

As indicated in the RNZ article, in their Telegram channel all posts related to the MMH data are gone including the link to sample data. On their ransom page the details and countdown timer for the MMH data has also gone, with Saudi Icon being the only one there now. Their last post related to this (now gone) was answering a question stating that they were in Cuba.

I hope this means that the data won't be released. I'll be interested in the findings of the inquiry, hopefully MMH were at least following NZISM but based upon some of the details that have come out I'm skeptical.

 

At the moment I occasionaly answer queries from individuals about the steps we take to keep their medical data safe. I suspect this is going to increase substantially following this incident - which I see as a good thing. 

geek3001
223 posts

Master Geek
+1 received by user: 331

ID Verified
Subscriber

  #3450560 7-Jan-2026 13:28
Send private message quote this post

wellygary:

 

alasta:

 

It would be interesting if anyone with legal expertise has any insight into what regulatory authority government agencies have over privately owned companies that handle sensitive health records. If there is a gap in legislation then I'm sure it will come up in the formal review. 

 

 

In short, there is nothing with teeth... 

 

The only "health" specific "regulation" is the The Health Information Privacy Code (HIPC), but its a guideline document not an enforcement one, https://www.privacy.org.nz/privacy-principles/codes-of-practice/hipc2020/

 

The Privacy act is also pretty useless as it doesn't put any penalties on the data custodians in the case of a breach,,,

 

 

One of the outcomes of this experience must be a review of regulations to ensure that entities holding and managing access to personal data (especially sensitive personal medical information) take that responsibility more seriously, to better secure their systems against attack.

 

A fully tested post-attack response plan including communication to those affected means very little to many people who have had their most sensitive personal information exposed to persons unknown.

 

As a poster noted earlier in this thread, perhaps those entities will need to be licensed and subject to regular pentesting etc, with real-world consequences for those in governance and executive positions if they fail to oversee the proper use of best-practice or accepted-practice security.

 

Law changes can't guarantee 100% secure systems with no breaches however they should encourage the retention of sufficiently IT-savvy competent directors and executives to properly fulfill their responsibilities in this specialised environment.

 

Data sovereignty issues may need to be considered too.

 
 
 
 

Shop now at Mighty Ape (affiliate link).

mdf

mdf
3566 posts

Uber Geek
+1 received by user: 1519

Trusted

  #3450566 7-Jan-2026 13:41
Send private message quote this post

The Privacy Commission is the relevant regulatory agency. 

 

As it stands, the Privacy Commission can issue compliance notices (binding orders). Failure to follow a compliance notice is an offence (max 10K fine last I checked). It's also legally required to report major ("notifiable") privacy breaches, and again non-reporting is an offence (same 10K fine).

 

The Privacy Commission can investigate complaints (see https://www.privacy.org.nz/your-rights/making-a-complaint-to-the-privacy-commissioner/ - I suspect there may have been a few already!). There is a bit of process but certain more serious complaints can then go to the Human Rights Review Tribunal. The Tribunal can award up to $350,000 in damages. This compensation covers financial loss and things like loss of benefit, humiliation, loss of dignity, and injury to feelings.

 

Fines for offences area penalty paid to the Crown. HRRT damages are paid to the victim as *compensation* for the harm caused, not to punish the wrongdoer or deter other wrongdoers.

 

In contrast to our 10K fines, if MMH has any Australian or European customers, they could be up for fines that cap out in the order of AUD 50 million / EUR 20 million (its more complicated than that, but that is the order of magnitude). The Privacy Commission has been calling for stronger enforcement powers for a while, most recently in November 2025.

Rikkitic
Awrrr
19071 posts

Uber Geek
+1 received by user: 16319

Lifetime subscriber

  #3450574 7-Jan-2026 15:20
Send private message quote this post

networkn:

 

You'll never get an assurance of that nature. It's impossible to give assurances definitively like that. They can make statements that they are using x or y security standard or framework and are compliant within that.

 

Anyone who says so doesn't understand or is lying. Systems can be breached, people make mistakes, vulnerabilities exist in software. 

 

Without knowing the actual breach point, it's guess work to determine, and it's a little unlikely they will release that level of information. 

 

The best you can hope for is that MMH adopt more comphrensive security products, policies and that monitoring is configured so that IF a breach occurs the system is isolated and appropriate people are notified.

 

 

 

 

They have stated publicly that they know who was affected and who wasn't. At the very least, politeness would suggest that this information be shared with those involved. Not just the affected, but also the unaffected. The silences are deafening and the lack of information more than annoying!




Plesse igmore amd axxept applogies in adbance fir anu typos

 


 

matthewperrin
22 posts

Geek
+1 received by user: 11


  #3450576 7-Jan-2026 15:36
Send private message quote this post

 

please dont be mmh... ffs

geek3001
223 posts

Master Geek
+1 received by user: 331

ID Verified
Subscriber

  #3450577 7-Jan-2026 15:41
Send private message quote this post

Rikkitic:

 

They have stated publicly that they know who was affected and who wasn't. At the very least, politeness would suggest that this information be shared with those involved. Not just the affected, but also the unaffected. The silences are deafening and the lack of information more than annoying!

 

 

The Privacy Act requires those who HAVE had private information leaked to be notified.

 

There does not appear to be any legal requirement to also notify those that have NOT been affected by the leak.

 

I believe in this case those in the latter group must also be notified to help put their minds at rest. On that basis I have made a request to the Minister for that to be considered.

 

There appears to be a cohort of affected people with records held by MMH who no longer use MMH for whatever reason, most likely due to changing GP practice or no longer being registered with any PHO. Those records are effectively orphans in that they have no current link to a GP practice. Based upon media reports efforts are being made to advise GP practices before the affected people are advised so that those people's GP practice is prepared to help the affected people.

 

A different plan for who those people with orphan records can contact would be required so they are not left wondering what to do. This may be delaying notifications.

1 | ... | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | ... | 29
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright