ManageMyHealth Data Breach

Forums › Health and fitness › ManageMyHealth Data Breach

1 | ... | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29

18688 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#3450983 9-Jan-2026 11:14

boosacnoodle: Vino himself has said that in his affidavit that it was a password that was compromised. We can safely assume that two-factor authentication would have helped.

Sure. The point is that anyone with an account could have used their own ordinary user account to download documents that did not belong to them as if anyone with a valid eftpos card and pin number and two factor could take money from any random account that did not belong to them.

jonherries

1434 posts

Uber Geek
+1 received by user: 317

Trusted

Subscriber

#3451587 10-Jan-2026 20:20

It is great that your financial data is managed so much better: https://managemywealth.nz/

Website: herri.es

Linkedin: jonherries

boosacnoodle

1280 posts

Uber Geek
+1 received by user: 862

#3451595 10-Jan-2026 20:57

I saw a similar one at https://mismanagemyhealth.co.nz

freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41070

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3452191 12-Jan-2026 11:46

The MisManageMyHealth scandal | LinkedIn

The Monopoly behind MisManageMyHealth | LinkedIn

Why the MisManageMyHealth debacle was preventable | LinkedIn

The Watchdog that didn’t bark in the MisManageMyHealth scandal | LinkedIn

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

gzt

18688 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#3452194 12-Jan-2026 11:54

The Monopoly behind MisManageMyHealth | LinkedIn

Some of that raises potential concerns about data at rest. With both major cloud services now in NZ there is no excuse if they are not taking advantage of that. The article does not mention data at rest storage location so the conclusion on that part is unclear.

imd6662

134 posts

Master Geek
+1 received by user: 22

#3452195 12-Jan-2026 12:05

Actually, from what I've seen of these articles they are poorly-informed, based on incomplete information (partly because little real detail is known), and make generalisations which border on being offensively racist.

HP

Shop now for HP laptops and other devices (affiliate link).

geek3001

221 posts

Master Geek
+1 received by user: 331

ID Verified

Subscriber

#3452197 12-Jan-2026 12:11

If it has not already been said, this event must serve as a loud wake up call to those holding sensitive personal medical information, to regularly review their systems to ensure that they store it in a way that makes it of less value to hackers when the inevitable breach occurs, ie: data encryption at rest at a minimum. Exfiltrated data that is encrypted is of little to no value to a hacker.

How many electronic systems potentially still store medical records in plain-text?

I doubt that any medical practice still have physical paper notes. Many would recall seeing the large physical storage systems filled with folders holding our patient notes that went with us to the GP's office each time we visited the doctor. I recall my GP practice many years ago being broken in to with the medical records room specifically targeted and records taken. In some ways the unencrypted data exfiltrated in this event is not so different to what was easily available years ago with the physical records.

mobiusnz

477 posts

Ultimate Geek
+1 received by user: 114

#3452248 12-Jan-2026 12:28

I just logged in and my login now says it appears I'm unaffected but do they actually know exactly what was compromised.

Personally I'm not overly concerned - I was diagnosed with Multiple Sclerosis just over a year ago but I have told my family, friends and even my customers so they are all aware.

A similar diagnosis for someone with a career they want to protect from employers concerned about long term symptoms etc could be pretty concerning. Imagine someone doing a role requiring some physical coordination that MS might affect long term - An employer might never employ that person or they might be first on the list for redundancy etc.

I knew a guy who got the same diagnosis as me and told NOONE for around 10 years until his symptoms developped to the point he couldn't hide them any longer. He'd have been pretty upset for the cat to be out of the bag early in a case like this and the nurerous reasons this can be a massive privacy issues are too long to think about.

For me I'm a good old socialist and I think we should have a government bureau that develops all software used by government departments and for things like this. Then because they are developed in the same place they will all talk to each other when required and security would be a central focus of all platforms. Obviously you would pay to get top level consultants to review processes to make sure things are being done to industry best standards but this is another example on the long list of oursourcing these systems to For Profit organisations is a bad idea. Big Blue for the Police, Teachers payroll platform - The list goes on (and on).

Matt Beechey Mobius Network Solutions

gzt

18688 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#3452251 12-Jan-2026 12:40

The Monopoly behind MisManageMyHealth | LinkedIn

imd6662: Actually, from what I've seen of these articles they are poorly-informed, based on incomplete information (partly because little real detail is known), and make generalisations which border on being offensively racist.

You make a good point. An example quote from the article above: "Questions about supply-chain security raise serious questions. If Indian developers have administrator access to New Zealand patient data, that’s a vulnerability stretching beyond our borders. Data might be stored on local servers, but if the “keys” are in Chennai, what good is that? Sovereignty concerns kick in: New Zealand regulators can’t easily audit foreign entities or enforce standards."

In practice I think that's a combination of speculation and utterly wrong. New Zealand entities routinely use overseas providers based on their own and 3rd party security certifications and audits. In this case the service is sold directly to GPs and those individual customers are essentially responsible for the decision to use the software as I understand it. MMH claims both ISO 9001 and ISO 27001 certification so there's no real suggestion any GP is at fault for not checking credentials. I understand MMH use is tacitly encouraged by the Ministry of Health. Data sovereignty is a good point but that paragraph does not illuminate it.

huckster

887 posts

Ultimate Geek
+1 received by user: 460

ID Verified

Lifetime subscriber

#3452254 12-Jan-2026 12:59

Just logged in for something and there's a survey asking would I recommend Manage My Health to other people......

eracode

Smpl Mnmlst
9334 posts

Uber Geek
+1 received by user: 6203

ID Verified

Trusted

Lifetime subscriber

#3452260 12-Jan-2026 13:44

huckster:

Just logged in for something and there's a survey asking would I recommend Manage My Health to other people......

Had the same thing. Gave them a big fat zero - then it asked why. I replied: “I’ll give you one guess”. End of.

Sometimes I just sit and think. Other times I just sit.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

imd6662

134 posts

Master Geek
+1 received by user: 22

#3452262 12-Jan-2026 14:05

Perhaps more helpful is the post from Marcus Crane of Halter (which I don't think has already been referenced here?).

I don't sense that Marcus is any more sympathetic, but he is a lot more considered and balanced, and - seemingly - accurate, since it seems his contribution has attracted some 'cease and desist' action, perhaps as part of an honest effort to not further expose sensitive details about what actually happened here.

geek3001

221 posts

Master Geek
+1 received by user: 331

ID Verified

Subscriber

#3452267 12-Jan-2026 14:39

imd6662:

Perhaps more helpful is the post from Marcus Crane of Halter (which I don't think has already been referenced here?).

I don't sense that Marcus is any more sympathetic, but he is a lot more considered and balanced, and - seemingly - accurate, since it seems his contribution has attracted some 'cease and desist' action, perhaps as part of an honest effort to not further expose sensitive details about what actually happened here.

Interesting.

I had previously saved a snapshot of that blog, which I have now deleted so as to be compliant with the redactions.

Batwing

692 posts

Ultimate Geek
+1 received by user: 224

Trusted

Subscriber

#3452320 12-Jan-2026 15:19

Logged in to see the file that was breached from my account, clicking on it is 404 though so no idea what was actually leaked lol

imd6662

134 posts

Master Geek
+1 received by user: 22

#3452568 13-Jan-2026 13:21

As a matter of interest, I just logged into a different portal app which my GP's practice switched to from MMH a few months' back.

This particular app can also be guarded with a biometric login, but a newish looking alert box says "MFA coming soon". Stable door or belt and braces?

1 | ... | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29