ManageMyHealth Data Breach

Forums › Health and fitness › ManageMyHealth Data Breach

1 | ... | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | ... | 29

8828 posts

Uber Geek
+1 received by user: 5310

#3450768 8-Jan-2026 15:53

FineWine:

They are offering 2FA of either email or Google and Microsoft 2FA, and they believe that those last two are the better choice. I know nothing about Microsoft 2FA and I don't use Google 2FA for things like YouTube, just a straight Google sign-in.

There is no SMS 2FA offered like what ANZ offers and Apple.

SMS 2FA is not secure, (and a driver of scammers' "SIM swapping").

The banks have moved credit card and other authentication into their own apps,

boosacnoodle

1291 posts

Uber Geek
+1 received by user: 875

#3450777 8-Jan-2026 16:32

wellygary:

SMS 2FA is not secure, (and a driver of scammers' "SIM swapping").

The banks have moved credit card and other authentication into their own apps,

Is ANZ not a bank? They haven't moved theirs, last I checked. It's a glaring hole as far as I am concerned.

freitasm

BDFL - Memuneh
80672 posts

Uber Geek
+1 received by user: 41123

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3450778 8-Jan-2026 16:39

FineWine:

They are offering 2FA of either email or Google and Microsoft 2FA, and they believe that those last two are the better choice. I know nothing about Microsoft 2FA and I don't use Google 2FA for things like YouTube, just a straight Google sign-in.

There is no SMS 2FA offered like what ANZ offers and Apple.

There is no "Google" or "Microsoft" 2FA in this context. They use a technology called TOTP (Time-based one-time password) and that is a standard. It used by the Google Authentocator and Microsoft Authenticator apps, but it's also used by Authy, Bitwarden and many others.

It's just a number that changes every 30 seconds based on a seed, unique to your account. You can even calculate it by hand if you know the seed (the number in the QR code or the number given). It's exactly the same 2FA we use at Geekzone.

They are not forcing you to login to a Microsoft or Google account.

There are other forms of 2FA, including push notifications to apps, like BNZ and Blizzard do. Or Microsoft does when using the passwordless login with their app login.

Having said all that, SMS is the weakest form of 2FA, because phone numbers can easily be hijacked.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

FineWine

3115 posts

Uber Geek
+1 received by user: 2447

Trusted

Nurse (R)

Lifetime subscriber

#3450780 8-Jan-2026 16:45

freitasm:

FineWine:

They are offering 2FA of either email or Google and Microsoft 2FA, and they believe that those last two are the better choice. I know nothing about Microsoft 2FA and I don't use Google 2FA for things like YouTube, just a straight Google sign-in.

There is no SMS 2FA offered like what ANZ offers and Apple.

There is no "Google" or "Microsoft" 2FA in this context. They use a technology called TOTP (Time-based one-time password) and that is a standard. It used by the Google Authentocator and Microsoft Authenticator apps, but it's also used by Authy, Bitwarden and many others.

It's just a number that changes every 30 seconds based on a seed, unique to your account. You can even calculate it by hand if you know the seed (the number in the QR code or the number given). It's exactly the same 2FA we use at Geekzone.

They are not forcing you to login to a Microsoft or Google account.

There are other forms of 2FA, including push notifications to apps, like BNZ and Blizzard do. Or Microsoft does when using the passwordless login with their app login.

Having said all that, SMS is the weakest form of 2FA, because phone numbers can easily be hijacked.

@freitasm

Thank you for your very informative reply. 🎓👍👏😊

Whilst the difficult we can do immediately, the impossible takes a bit longer. However, miracles you will have to wait for.

geek3001

223 posts

Master Geek
+1 received by user: 331

ID Verified

Subscriber

#3450782 8-Jan-2026 16:48

boosacnoodle:

wellygary:

SMS 2FA is not secure, (and a driver of scammers' "SIM swapping").

The banks have moved credit card and other authentication into their own apps,

Is ANZ not a bank? They haven't moved theirs, last I checked. It's a glaring hole as far as I am concerned.

OT briefly for a moment... when I use my ANZ credit card online, I recently started getting 2FA challenges via the ANZ app on my phone. The last time I received a 2FA challenge from ANZ via SMS was in October last year. Interestingly, I can usually trigger the challenge by entering something other than the correct card holder's name when I am processing a payment on a website.

imd6662

134 posts

Master Geek
+1 received by user: 22

#3450791 8-Jan-2026 17:08

"They are offering 2FA of either email or Google and Microsoft 2FA, and they believe that those last two are the better choice. I know nothing about Microsoft 2FA and I don't use Google 2FA for things like YouTube, just a straight Google sign-in.

There is no SMS 2FA offered like what ANZ offers and Apple."

...

"There is no "Google" or "Microsoft" 2FA in this context. They use a technology called TOTP (Time-based one-time password) and that is a standard. It used by the Google Authentocator and Microsoft Authenticator apps, but it's also used by Authy, Bitwarden and many others.

They are not forcing you to login to a Microsoft or Google account.

There are other forms of 2FA, including push notifications to apps, like BNZ and Blizzard do. Or Microsoft does when using the passwordless login with their app login.

Having said all that, SMS is the weakest form of 2FA, because phone numbers can easily be hijacked."

Great! Now we just have to explain that to 1.8M patients!

AliExpress

Shop now on AliExpress (affiliate link).

freitasm

BDFL - Memuneh
80672 posts

Uber Geek
+1 received by user: 41123

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3450792 8-Jan-2026 17:09

imd6662:

Great! Now we just have to explain that to 1.8M patients!

Well, be happy they didn't introduce passkeys...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

imd6662

134 posts

Master Geek
+1 received by user: 22

#3450794 8-Jan-2026 17:12

Yet!

Seriously though, my point is that we often neglect just how big the barrier becomes for people to benefit from IT because of the clever ways we come up with to protect them. Tried to get anything done in person at a bank recently? Who's in the queue and for how long.

geek3001

223 posts

Master Geek
+1 received by user: 331

ID Verified

Subscriber

#3450795 8-Jan-2026 17:12

Interesting update today https://managemyhealth.co.nz/mmh-cyber-breach-update-8-january-2026/ in that those affected are mainly located in Northland.

Breach containment

We understand and sincerely apologise for the pain and anxiety this criminal activity has caused to our providers and patients.

The MMH app consists of multiple modules. One of these contains data provided directly by a GP and is referred to within the app as “Health Records”. The app also includes a separate module called “My Health Documents”, which stores documents, including those uploaded by users.

MMH would like to clarify that the breach was limited to data stored in the “My Health Documents” module only. User data stored in the GP-provided “Health Records” module was not compromised as part of this incident.

Here’s a summary of the facts, to date:

The cyber incident was limited to 6-7% of our 1.8 million registered users, within the “My Health Documents” module only
The data relates to a range of medical practices, including:

Approximately 45 Northland-based GP practices;
Clinical discharge summaries and historical clinical referral records in the Northland region (data that is between six and eight years old)
Approximately 355 “referral-originating” GP practices across a number of New Zealand regions
Personal health information uploaded by patients
Northland practices

Our investigation has shown that the data taken originates predominantly from the Northland region; documents that were shared with patients through the My Health Documents module and subject of the unauthorised access.

We recognise the disproportionate impact that this incident has had on some Northland communities. We are working closely with Health NZ/Te Whatu Ora as the data controller for Northland region documents to ensure those affected receive appropriate support and information.

antoniosk

2384 posts

Uber Geek
+1 received by user: 750

ID Verified

Trusted

Lifetime subscriber

#3450796 8-Jan-2026 17:14

jonherries:

Jon

That sound you might hear is one of carpet being chewed at my place ;-)

________

Antoniosk

jonherries

1434 posts

Uber Geek
+1 received by user: 317

Trusted

Subscriber

#3450799 8-Jan-2026 17:30

antoniosk:

jonherries:

Jon

That sound you might hear is one of carpet being chewed at my place ;-)

How are you - long time no coffee, we should catch up!

Jon

Website: herri.es

Linkedin: jonherries

Dell

Shop now for Dell laptops and other devices (affiliate link).

NinjaFromNZ

7 posts

Wannabe Geek
+1 received by user: 5

#3450810 8-Jan-2026 18:36

So I just logged in and despite enabling 2FA a few days ago using an authenticator app AND changing my password, it made me change my password again. And during the password change process, it didn't ask my old password and instead of verifying my identity using the authenticator app I had set up, it sent me a code to my email address.

In my case that's not too insecure as I use MFA on my email, but for a lot of people that is only one step better than sending a code via SMS if they don't protect their email accounts using MFA.

Having changed my password, it then made me log in - but this time using the 2FA app I had previously selected, and when I had finally logged in, told me to enable 2FA (which clearly was already enabled as I'd had to use it to log in).

What planet are they on?

cddt

1981 posts

Uber Geek
+1 received by user: 1926

#3450811 8-Jan-2026 18:40

freitasm:

It's just a number that changes every 30 seconds based on a seed, unique to your account. You can even calculate it by hand if you know the seed (the number in the QR code or the number given). It's exactly the same 2FA we use at Geekzone.

I want to see authentication which requires a user to calculate it by hand. If you can't complete it within 30 seconds, you have to start again. Good maths practice?

mattwnz

20521 posts

Uber Geek
+1 received by user: 4798

#3450812 8-Jan-2026 18:44

wellygary:

FineWine:

They are offering 2FA of either email or Google and Microsoft 2FA, and they believe that those last two are the better choice. I know nothing about Microsoft 2FA and I don't use Google 2FA for things like YouTube, just a straight Google sign-in.

There is no SMS 2FA offered like what ANZ offers and Apple.

SMS 2FA is not secure, (and a driver of scammers' "SIM swapping").

The banks have moved credit card and other authentication into their own apps,

I would have thought it would be better than email based 2FA, a email seems to be far easier to get hacked than SMS. I don't even know how a hacker could take over someones phone number in NZ very easily?

freitasm

BDFL - Memuneh
80672 posts

Uber Geek
+1 received by user: 41123

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3450817 8-Jan-2026 18:52

mattwnz:

I would have thought it would be better than email based 2FA, a email seems to be far easier to get hacked than SMS. I don't even know how a hacker could take over someones phone number in NZ very easily?

It happened before. It may happen again.

https://www.nzherald.co.nz/business/telcos-respond-after-sim-card-hijacking-costs-kiwis-more-than-1-million/FDY4WDIT2ZO3NSHCT5UR7MBXCM/

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | ... | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | ... | 29