ManageMyHealth Data Breach

Forums › Health and fitness › ManageMyHealth Data Breach

1 | ... | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29

468 posts

Ultimate Geek
+1 received by user: 126

ID Verified

Trusted

Lifetime subscriber

#3458103 2-Feb-2026 16:31

turtleattacks:

Not really typo squatting. They can set up a domain, with https, and mail server that can send out password reset emails with all the right authentications and checks by Gmail/Outlook/Yahoo!/Hotmail/Rocketmail.

And, a page that looks exactly like their login.

anz-bank.co.nz is available at the moment too (anzbank.co.nz is not). So we could do the same thing with them as they have ~40% of the country bank with them.

I totally agree that if possible "low hanging fruit" matching domains sh/could be registered, its just trying to work out how far to go.

manageyourhealth.co.nz is available for any budding crims too

freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41071

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3458104 2-Feb-2026 16:37

I think typo-squatting (used for either grab anyone that types incorrect domais, or used on emails to appear similar to actual domains) is an uphill battle as there's no limit.

Where would you stop?

.com?

.nz vs .co.nz?

names with hypens between letters?

Also, people are worrying too much about the whole email thing. Sure it makes it easier to grab a few passwords. But phishing is nothing new. The pot of gold is an admin password, not a password from an individual user with limited ability to damage a system.

Unless of course the Bad Actor knew of a vulnerability that could compromise the entire platform from a generic user login. But then there would be other, targetted ways to get the password (social engineering) instead of going to the work of reproducing a whole domain login just to grab a single password.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3458105 2-Feb-2026 16:39

freitasm:

I think typo-squatting (used for either grab anyone that types incorrect domais, or used on emails to appear similar to actual domains) is an uphill battle as there's no limit.

Where would you stop?

.com?

.nz vs .co.nz?

names with hypens between letters?

Also, people are worrying too much about the whole email thing. Sure it makes it easier to grab a few passwords. But phishing is nothing new. The pot of gold is an admin password, not a password from an individual user with limited ability to damage a system.

Unless of course the Bad Actor knew of a vulnerability that could compromise the entire platform from a generic user login. But then there would be other, targetted ways to get the password (social engineering) instead of going to the work of reproducing a whole domain login just to grab a single password.

Very true, you are generating one-password-at-a-time here rather than a 'pot of gold' with admin access.

----

Creator of whatsthesalary.com and whatstheincometax.com

PolicyGuy

1821 posts

Uber Geek
+1 received by user: 1772

ID Verified

Lifetime subscriber

#3458124 2-Feb-2026 18:58

turtleattacks:

freitasm:

Unless of course the Bad Actor knew of a vulnerability that could compromise the entire platform from a generic user login. But then there would be other, targetted ways to get the password (social engineering) instead of going to the work of reproducing a whole domain login just to grab a single password.

Very true, you are generating one-password-at-a-time here rather than a 'pot of gold' with admin access.

In the MMH case though, it seems like it was possible to somehow (enumeration within the URL?) access all the items in that document store from a single ordinary-user login. So one SserID/password was all the bad actor needed. Or am I adding 2 + 2 to make 7?

Also there was no data egress monitoring or control (aka Data Loss Prevention system) so the bad actor was able to exfiltrate hundreds of thousands of documents over the Christmas weekend

freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41071

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3458131 2-Feb-2026 20:50

PolicyGuy:

turtleattacks:

freitasm:

Unless of course the Bad Actor knew of a vulnerability that could compromise the entire platform from a generic user login. But then there would be other, targetted ways to get the password (social engineering) instead of going to the work of reproducing a whole domain login just to grab a single password.

Very true, you are generating one-password-at-a-time here rather than a 'pot of gold' with admin access.

In the MMH case though, it seems like it was possible to somehow (enumeration within the URL?) access all the items in that document store from a single ordinary-user login. So one SserID/password was all the bad actor needed. Or am I adding 2 + 2 to make 7?

Also there was no data egress monitoring or control (aka Data Loss Prevention system) so the bad actor was able to exfiltrate hundreds of thousands of documents over the Christmas weekend

Correct. As I said, there are case in which even a standard user has access to content they shouldn't. But usually (and not the case here) phishing is limited in scope.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

boosacnoodle

1280 posts

Uber Geek
+1 received by user: 862

#3458150 2-Feb-2026 22:55

The DNC does keep something of a watch out for malicious / similarly typed domain name registrations. The owner of mismanagemyhealth.co.nz got ID'd by them recently.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

matthewperrin

22 posts

Geek
+1 received by user: 11

#3458154 3-Feb-2026 00:10

boosacnoodle:

The DNC does keep something of a watch out for malicious / similarly typed domain name registrations. The owner of mismanagemyhealth.co.nz got ID'd by them recently.

ID'd? What do you mean? The DNC has a fake registrant for them.

Kind of annoys me too because every website I've ever had gives full address and private phone numbers of mine and I've never been able to prevent it.

cddt

1970 posts

Uber Geek
+1 received by user: 1905

#3458163 3-Feb-2026 07:43

matthewperrin:

ID'd? What do you mean? The DNC has a fake registrant for them.

Kind of annoys me too because every website I've ever had gives full address and private phone numbers of mine and I've never been able to prevent it.

Not an expert, but the Individual Registrant Privacy Option was introduced at some point: https://dnc.org.nz/tools-and-services/how-do-i-2/apply-privacy-to-your-domain-name/

boosacnoodle

1280 posts

Uber Geek
+1 received by user: 862

#3458252 3-Feb-2026 10:22

matthewperrin:

ID'd? What do you mean? The DNC has a fake registrant for them.

Kind of annoys me too because every website I've ever had gives full address and private phone numbers of mine and I've never been able to prevent it.

The DNC can - and does - sometimes ask registrants to validate themselves. This involves them supplying photo ID and completing other biometric checks.

lachlanw

232 posts

Master Geek
+1 received by user: 96

ID Verified

Lifetime subscriber

#3458933 5-Feb-2026 09:20

As an aside getting a doctor consult after hours at one of the major private a and e's all the notes and x-rays getting reviewed on a machine with the windows 10 "please activate" mesage at the bottom. I'm not filled with confidence 🤣

freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41071

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3458936 5-Feb-2026 09:27

lachlanw:

As an aside getting a doctor consult after hours at one of the major private a and e's all the notes and x-rays getting reviewed on a machine with the windows 10 "please activate" mesage at the bottom. I'm not filled with confidence 🤣

Then officials go out with "We take the privacy of our patients very seriously. We don't know how someone could have possibly infected our systems with a cryptlocker, or stolen credentials to all that data."

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Dell

Shop now for Dell laptops and other devices (affiliate link).

Bung

6734 posts

Uber Geek
+1 received by user: 2927

Subscriber

#3458959 5-Feb-2026 10:00

We had an email yesterday from Doctor advising that practice is moving to Tō Mai as a portal. No mention whether this has been planned for some time or a reaction to recent MMH problems.

lachlanw

232 posts

Master Geek
+1 received by user: 96

ID Verified

Lifetime subscriber

#3458969 5-Feb-2026 10:28

freitasm:

Then officials go out with "We take the privacy of our patients very seriously. We don't know how someone could have possibly infected our systems with a cryptlocker, or stolen credentials to all that data."

I feel like there is some low hanging fruit there.

matthewperrin

22 posts

Geek
+1 received by user: 11

#3459029 5-Feb-2026 11:23

lachlanw:

As an aside getting a doctor consult after hours at one of the major private a and e's all the notes and x-rays getting reviewed on a machine with the windows 10 "please activate" mesage at the bottom. I'm not filled with confidence 🤣

When I go to see my neurosurgeon about my brain MRI's he has a giant like 2:1 or wider monitor and looks at the windows in this absurd aspect ratio and everything sits tiny in the middle of a black screen.

I taught him how to use the windows+left and right keybinds to organise it better lol. He was so surprised how easy it was.

Rikkitic

Awrrr
19071 posts

Uber Geek
+1 received by user: 16318

Lifetime subscriber

#3460899 12-Feb-2026 10:09

About a week after the data breach became public knowledge, and it was being widely discussed here and elsewhere in the media, I wrote to my medical practice asking why they had not made any mention of it at all. That was on 7 January. I subsequently received an acknowledgement of my complaint, and then nothing else. I wrote a couple of follow-ups, also with no response. Today I finally received that response. I stated somewhere on this thread that I would post any reply I received, so I am doing that now. I have edited out all identifying information just to be on the safe side. I don't want to get sued.

-----------------------------------

11th February 2026

xxxxxxxxxxxx
xxxxxxxxxxxxx

Dear xxxxxxxxxxx,

Thank you for your emails and for setting out your concerns so clearly. I am very sorry for the length of time it has taken for you to receive a direct response from us. I also want to acknowledge at the outset that the lack of timely communication from xxxxxxxxxxxx following the Manage My Health (MMH) cyber incident has caused you understandable distress and has affected your confidence in our organisation. For that, I sincerely apologise.

You are absolutely right that silence creates anxiety, particularly in a healthcare setting, and we did not meet an acceptable standard in how promptly and clearly we communicated with patients about this issue. Even where information was limited, we should have acknowledged the situation earlier and kept patients informed. I regret that this did not happen and that you were left relying on media and social sources for information.

To address your specific questions:

Use of Manage My Health
xxxxxxxxxxxxxxxx uses Manage My Health as a patient portal to allow patients to view certain information (such as test results and appointment details) and to communicate with the practice. It is not our core clinical record system. Clinical records are held within our practice management system, not on the MMH platform.

Your decision to cancel MMH
Cancelling your Manage My Health account does cancel the link between xxxxxxxxxxxx and MMH. Once cancelled, your information is no longer accessible via the MMH portal, and no further information from our practice is shared with MMH in relation to you.
Please be assured that your care with xxxxxxxxxxxxxx and your GP is not affected in any way by your decision not to use MMH.

Regarding the cyber incident and communication
While the cyber incident occurred within MMH and not xxxxxxxxxxxxxx, we recognise that our patients reasonably expect us to acknowledge events that may affect them, particularly where we use the service. Our initial communications were delayed while we sought clarity on the scope of the breach and what information, if any, related to our patients. However, this does not excuse the absence of early acknowledgement, and your feedback makes it clear that we need to do better in situations like this.

Your complaint has highlighted an important gap in how we communicate during external incidents that still have direct relevance to our patients. We are reviewing our processes so that in future, patients are informed promptly when issues arise, even if the information available at that time is incomplete.

Thank you for taking the time to raise these concerns. We do take them seriously.

Yours sincerely,

xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx

Plesse igmore amd axxept applogies in adbance fir anu typos

1 | ... | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29