They used OTP to your email address. Worked yesterday when I changed my password.

geek3001:

 

 

 

I can't see any 2FA set up options, nor can I see a 'Security' tab.

 

click on your "profile" and it is there.
However, as already mentioned, it has been disabled and now just logs you out.

They did support Google and Microsoft 2fa apps only if I remember correctly. I don't use it as I use "authy" and didn't want another app just for this.

insane:

 

They used OTP to your email address. Worked yesterday when I changed my password.

 

Ditto me yesterday.

Today, that option seems to be disabled, I can enter an email address, but the 'Continue' button is greyed out, so that logon method is unavailable.

I'm starting to doubt the ability of those operating that site.

geek3001:

 

{snip}

I'm starting to doubt the ability of those operating that site.

I think they've more-or-less accidentally become Critical Infrastructure (CI) for the primary health care sector, but without the level of support and perhaps knowledge that being CI really needs.

PolicyGuy:

 

geek3001:

 

{snip}

I'm starting to doubt the ability of those operating that site.

 

I think they've more-or-less accidentally become Critical Infrastructure (CI) for the primary health care sector, but without the level of support and perhaps knowledge that being CI really needs.

 

I agree, which is concerning.

What I am also concerned about is if there is other information on MMH's systems sourced from our GP's or the public health system, that we can't see and that we don't even know is stored there.

While I appreciate that online data storage can't be totally secure given the breaches we see these days, personal medical information is sacrosanct.

Medical staff can get into very serious trouble just by simply leaving a sheet of paper with a patient's info on it sitting somewhere for others to see. I have witnessed this in public hospitals when a patient's chart has been left out instead of put away. The performances I have seen and been through, even when dealing with my parents' medical info, is ridiculous. I once had to step-in to stop a nurse in tears from being disciplined as I had been reading my parent's chart and associated documents which I had a right to see as I had EPoA for their Personal Care and Welfare. The nurse was getting a right bollocking from one of her superiors who thought otherwise for not putting said documents back where they were supposed to be. I had to explain to the superior that all was quite OK and please leave the nurse alone.

That a third-party IT provider can potentially allow personal medical data to be available on the 'net and get away with it is really not on.

farcus:

 

geek3001:

 

 

 

I can't see any 2FA set up options, nor can I see a 'Security' tab.

 

 

 

 

click on your "profile" and it is there.
However, as already mentioned, it has been disabled and now just logs you out.

 

They did support Google and Microsoft 2fa apps only if I remember correctly. I don't use it as I use "authy" and didn't want another app just for this.

 

Great, thanks.

I was only looking at the menu options down the left side of the screen.

From Radio NZ:

ManageMyHealth is expecting to start notifying customers impacted by a data breach within the next 48 hours.

The country's largest patient information portal on Wednesday confirmed it had identified a cyber security incident involving "unauthorised access" to its platform.

Independent international forensic consultants have been engaged to verify the solution and to determine the extent of the data which is affected.

ManageMyHealth believed between 6 and 7 percent of the approximately 1.8 million registered users may have been impacted.

Earlier, chief executive Vino Ramayah assured users, customers and stakeholders that ManageMyHealth takes the protection of health information "extremely seriously".

"We understand how personal and sensitive health information is, and we recognise the stress an incident like this can cause. Our team is working hard to identify those affected, and to communicate directly and transparently," Ramayah said.

Ramayah also stated the Office of the Privacy Commissioner has been notified and is working with ManageMyHealth to meet their obligations under privacy legislation.

The police have also been notified of the breach.

A Health New Zealand spokesperson told RNZ it was working "closely" with the app's operators.

"Health New Zealand is aware of the cyber security incident at ManageMyHealth and is working with them to understand any impacts."

Source: https://www.rnz.co.nz/news/national/583030/managemyhealth-reveals-scope-of-data-breach

clinty:

 

Behodar:

 

Mine used to, but hasn't for a few years. Who knows whether MMH deleted all the data or not though...

 

 

 

 

I just logged in and my records up till my GP moved away from them are there :(

 

 

 

Clint

 

It appears that one of the larger GP groups, The Doctors Medical Centres—which advertises being “trusted by over 400,000 Kiwis”—left their patients’ old medical records on MMH after patients were migrated to a different system (Centrik).    (Based on a sample of one.)

From RNZ:

Cyber security expert Daniel Ayers said ManageMyHealth was using an outdated encryption protocol, TLS 1.2 from 2008, and more than 1 million people might be affected.

"I had a quick look at the ManageMyHealth portal this morning after I heard about the data breach, and I see that they claim that their IT security is really good, but when I had a quick look at it, they don't use or don't support the latest version of the most important encryption protocol, TLS, and I'd expect that from a health site that takes IT security seriously."

What is the relevance of this? Obviously it's not great having an old cipher in use if you're using MMH on a public hotspot - but it almost certainly has nothing to do with hundreds of thousands of documents getting hacked. Significantly more likely that they just simply forgot to secure the Azure Blob correctly.

Bullshit. TLS 1.3 is preferred, TLS 1.2 is ok, TLS 1.0/1.1 are not.

freitasm:

 

Bullshit. TLS 1.3 is preferred, TLS 1.2 is ok, TLS 1.0/1.1 are not.

 

The irony is that RNZ's own web server only supports TLS 1.2 - the very same cipher that they are reporting as "insecure" (they don't support TLS 1.3!).

Checked just now and both the app & www of MMH support TLS 1.3. Unless they just now upgraded their server to support that, the reporting would appear to be wrong.

geek3001:

 

From Radio NZ:

 

ManageMyHealth is expecting to start notifying customers impacted by a data breach within the next 48 hours.

 

The country's largest patient information portal on Wednesday confirmed it had identified a cyber security incident involving "unauthorised access" to its platform.

 

Independent international forensic consultants have been engaged to verify the solution and to determine the extent of the data which is affected.

 

ManageMyHealth believed between 6 and 7 percent of the approximately 1.8 million registered users may have been impacted.

 

Earlier, chief executive Vino Ramayah assured users, customers and stakeholders that ManageMyHealth takes the protection of health information "extremely seriously".

 

"We understand how personal and sensitive health information is, and we recognise the stress an incident like this can cause. Our team is working hard to identify those affected, and to communicate directly and transparently," Ramayah said.

 

Ramayah also stated the Office of the Privacy Commissioner has been notified and is working with ManageMyHealth to meet their obligations under privacy legislation.

 

The police have also been notified of the breach.

 

A Health New Zealand spokesperson told RNZ it was working "closely" with the app's operators.

 

"Health New Zealand is aware of the cyber security incident at ManageMyHealth and is working with them to understand any impacts."

 

Source: https://www.rnz.co.nz/news/national/583030/managemyhealth-reveals-scope-of-data-breach

 

does it say anywhere anything about people whose GPs use the system but the patients are not registered users?

Batman:

 

does it say anywhere anything about people whose GPs use the system but the patients are not registered users?

 

No. In fact, MMH has yet to confirm much of anything - not least what was actually taken. Meant to be a further update tomorrow at 3 PM, apparently.

A concern I had at the very beginning was what information was made available to the development team - the T&C’s didn’t make it clear when I looked to how things were.

When I finally “signed in”, I discovered most of my records were sitting there.

I suspect this could become an absolute nightmare for the provider involved if any data leaked/lost belongs to patients originating from the EU.

I would be nice to think that this is a catalyst for software companies to take their data responsibilities more seriously.