Just wanting to ask the members if there is any truth to this?:

https://x.com/AdamVoulstaker/status/2009035085388107990

Finally setup MFA on the very slow MMH site. Having gone through that, this has appeared on the Dashboard page....

EDIT: I have nothing in the My Health Documents area.

Just wanting to post that on reddit, people have reported some sensitive records from Manage My Health had been compromised:

https://www.reddit.com/r/newzealand/comments/1q6blv8/acc_sexual_assault_reports_compromised_in_manage/

On the Post, the article is behind paywall, Manage My Health also knew about the vulnerability:

https://www.thepost.co.nz/nz-news/360927453/manage-my-health-warned-vulnerabilities-six-months-ago

Non paywalled link:

https://archive.is/GvZYD

MrAlex: Just wanting to ask the members if there is any truth to this?:

https://x.com/AdamVoulstaker/status/2009035085388107990

Received a call from my provider today and had a lengthy conversation with them about this all.
And of course, the exact documents I thought were compromised - were compromised.
Funny because they're my early childhood records from my orphanage/Russia, some Starship stuff exclusive to when I was a young kid, and a place called the Wilson Home.
They were all present due to transfer of care mechanisms and me being proactive about getting those places to digitise old paper records.
They let me see their side of the portal on MMH and it does not appear as though that feature can hide documents from the patient which I'm happy to hear.

They also mentioned that MMH had claimed to have communicated the breach to patients on the Monday as well as having reached out to affected providers at the same time, however this was a lie or a misunderstanding.

Lastly I found it hilarious that their own lawyer had advised them against talking to their affected patients but they thought that was unfair and that we deserved to know.

Lol?

gzt: I feel sorry for the General Practitioners having to deal with all this. The stress on practice staff and management could be pretty bad for some. Hopefully, the various professional bodies and associations will be providing appropriate support.

I'm sure my GP practice will simply add a paragraph to their unavoidable and insufferably long greeting/information message, in the hope of deterring patients ringing to ask about the breach. 

MrAlex: On the Post, the article is behind paywall, Manage My Health also knew about the vulnerability:

https://www.thepost.co.nz/nz-news/360927453/manage-my-health-warned-vulnerabilities-six-months-ago

Non paywalled link:https://archive.is/GvZYD

Just got got an email from MMH

Kia ora John, We’re writing to share an update regarding a recent security incident affecting part of the Manage My Health platform.     Based on our current review, your account has been impacted.   Logged into MMH and checked   

1 Discharge Letter DS_20250120081004173.PDF 20 January 2025 29 December 2025

" Patient ingested linseed......blah blah blah "

Boring lol

Linux:

 

Just got got an email from MMH

 

Kia ora John, We’re writing to share an update regarding a recent security incident affecting part of the Manage My Health platform.     Based on our current review, your account has been impacted.   Logged into MMH and checked   

 

1 Discharge Letter DS_20250120081004173.PDF 20 January 2025 29 December 2025

 

" Patient ingested linseed......blah blah blah "

 

Boring lol

 

So did the email from MMH to you include the clickable link DS_20250120081004173.PDF which links to https://app.managemyhealth.co.nz/myhealth/health-documents that requires you to log on to view the file?

That format could easily be used for a phishing attack to harvest users logon credentials.

geek3001:

 

Linux:

 

Just got got an email from MMH

 

Kia ora John, We’re writing to share an update regarding a recent security incident affecting part of the Manage My Health platform.     Based on our current review, your account has been impacted.   Logged into MMH and checked   

 

1 Discharge Letter DS_20250120081004173.PDF 20 January 2025 29 December 2025

 

" Patient ingested linseed......blah blah blah "

 

Boring lol

 

 

So did the email from MMH to you include the clickable link DS_20250120081004173.PDF which links to https://app.managemyhealth.co.nz/myhealth/health-documents that requires you to log on to view the file?

 

That format could easily be used for a phishing attack to harvest users logon credentials.

 

@geek3001 no I have my logins saved in Bitwarden (I work in IT) and would never access a website from a link in an email it is 110% a genuine email from MMH

Those links above are in the message inbox in MMH not in the email from MMH telling me about the hack

@geek3001 Further to this I use gmail + alias for all my logins

MMH login is my Gmail address xxxx.xxxxxx+mmh@gmail.com

SkyTV login is xxxx.xxxxxx+sky@gmail.com

Linux:

 

geek3001 no I have my logins saved in Bitwarden (I work in IT) and would never access a website from a link in an email it is 110% a genuine email from MMH

 

Those links above are in the message inbox in MMH not in the email from MMH telling me about the hack

 

Good. I was more concerned about phishing email being sent to less knowledgeable folk who would just click the link without understanding the risk.

Linux:

 

@geek3001 Further to this I use gmail + alias for all my logins

 

MMH login is my Gmail address xxxx.xxxxxx+mmh@gmail.com

 

SkyTV login is xxxx.xxxxxx+sky@gmail.com

 

Ditto me, I did this ages ago, and then encountered a few systems that refused to accept the plus symbol in the email address. Ended up using a different email provider to get unique email addresses per provider.

Comes in handy when there is a breach / I find my unique email address is in the wild.

Theoretically the only way these sort of unique email addresses could be in the wild is if my devices have been breached (hopefully unlikely), data in transit between me and the provider was sniffed (hopefully unlikely if it's done using SSL/TLS) or the provider's system has been breached (more likely).

gzt: Two factor authentication would not have protected against the underlying vulnerability exploited by the attacker.

Vino himself has said that in his affidavit that it was a password that was compromised. We can safely assume that two-factor authentication would have helped.

People really need to stop saying that MFA is a silver bullet. I see compromises almost every single week involving people with MFA enabled. If the user believes the request is legitimate, then they will enter thier MFA the same way they enter their username and password. 

You can't safely say anything at this point, since the point of entry, and or any exploit that was used to escalate priviledges if that was required, isn't known and likely may never be 100% disclosed.