ManageMyHealth Data Breach

Forums › Health and fitness › ManageMyHealth Data Breach

1 | ... | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | ... | 29

2762 posts

Uber Geek
+1 received by user: 2427

Lifetime subscriber

#3449637 4-Jan-2026 16:02

Lol. Maybe we need a go fund me page to get this over and done with. 60,000 people all giving a dollar each would solve the problem for the majority millions. Not condoning ransoms at all but $60k is peanuts compared to what’s at stake. Imagine if a greedier hacker with bigger ambitions got their hands on it.

In any event heads and pockets need to roll over this and it’s a small price to pay for their botch up. Maybe they can negotiate a patch as well.

Kazu is probably some bored, smart kid in parents basement having fun. Someone should hire him at $500k pa to report on security.

Linux

12185 posts

Uber Geek
+1 received by user: 8477

Trusted

Lifetime subscriber

#3449642 4-Jan-2026 16:10

@Eva888 You honestly think if they are paid the 60k that would be it? lol you got to be joking?

mattwnz

20515 posts

Uber Geek
+1 received by user: 4795

#3449643 4-Jan-2026 16:10

My medical practice moved to indici last year but I logged into MMH just more and my records are still on it. Surely they should have been removed when the practice moved to another system? Surely my data shouldn’t have been retained on it?

geek3001

220 posts

Master Geek
+1 received by user: 331

ID Verified

Subscriber

#3449646 4-Jan-2026 16:27

mattwnz:

My medical practice moved to indici last year but I logged into MMH just more and my records are still on it. Surely they should have been removed when the practice moved to another system? Surely my data shouldn’t have been retained on it?

MMH may be required to retain the data for ten years after the last time any activity was noted on your account, per the legislation at https://www.legislation.govt.nz/regulation/public/1996/0343/latest/DLM225641.html

MMH's privacy policy at https://managemyhealth.co.nz/privacy-policy/ section 2.8 says "You can close your account at any time by signing into your ManageMyHealth™ account and editing your account profile. We wait 90 days before permanently deleting your account information and all records".

I'd say they retain our data for the required duration per the legislation unless we tell them to delete it.

freitasm

BDFL - Memuneh
80654 posts

Uber Geek
+1 received by user: 41050

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3449648 4-Jan-2026 16:31

geek3001:

This opinion is an interesting read, if the content is correct, particularly if the observations about the potential for easy MMH email spoofing and targeting of victims is correct.

https://blackveil.co.nz/blog/managemyhealth-breach-analysis-2025

Not sure if opinion or AI stuff.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

alasta

6890 posts

Uber Geek
+1 received by user: 3364

Trusted

Subscriber

#3449649 4-Jan-2026 16:33

Eva888:

Lol. Maybe we need a go fund me page to get this over and done with. 60,000 people all giving a dollar each would solve the problem for the majority millions. Not condoning ransoms at all but $60k is peanuts compared to what’s at stake.

I think it would be a really good idea for affected patients to take collective action, but not for the purpose of paying the ransom. Rather, it should be a class action lawsuit to pursue Manage My Health for damages.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

kiwifidget

"Cookie"
3640 posts

Uber Geek
+1 received by user: 1969

Lifetime subscriber

#3449651 4-Jan-2026 16:48

My GP clinic definitely took a copy of my passport a few years ago, even though I was a long time patient.

It was required due to some new regulation the Health Board brought in.

But my passport expired 3 weeks ago, so is that at least useless to them?

Delete cookies?! Are you insane?!

freitasm

BDFL - Memuneh
80654 posts

Uber Geek
+1 received by user: 41050

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3449652 4-Jan-2026 16:55

kiwifidget:

But my passport expired 3 weeks ago, so is that at least useless to them?

https://www.justice.govt.nz/criminal-records/get-someone-elses/identification-check-requirements/

"New Zealand IDs can be accepted within two years of the expiry date." when used as proof of ID for New Zealand purposes.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

card

1 post

Wannabe Geek

#3449653 4-Jan-2026 16:55

dfnt:

Saw this quote on the stuff article: “Manage My Health cannot be held liable in any way for events beyond our control or in any way for accidental or unauthorised access of your information.”

I'm sorry, what? How do they think they can escape liability for this..

Refer to the 2020 Generate kiwisaver data breach where there was no admission of liability. NZ privacy law merely requires the Commissioner to be notified of a breach, which MMF have already done.

In Generate's case their data security was clearly inadequate but the legal standard is simply that data is kept “safe and secure” meaning there was no consequence.

waikariboy

958 posts

Ultimate Geek
+1 received by user: 101

ID Verified

Trusted

#3449657 4-Jan-2026 17:00

looking at this could you increase security limiting where from you can access these sorts of sites. Like, anywhere outside of NZ is blocked unless you enable something? i use cloudflare tunnels and i put on a firewall setting to limit access to only new zealand and aus.

Balm its gone!

freitasm

BDFL - Memuneh
80654 posts

Uber Geek
+1 received by user: 41050

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3449660 4-Jan-2026 17:02

waikariboy:

looking at this could you increase security limiting where from you can access these sorts of sites. Like, anywhere outside of NZ is blocked unless you enable something? i use cloudflare tunnels and i put on a firewall setting to limit access to only new zealand and aus.

This is counterproductive. New Zealand citizens still need access to their data while overseas, wherever they are.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

Eva888

2762 posts

Uber Geek
+1 received by user: 2427

Lifetime subscriber

#3449663 4-Jan-2026 17:10

kiwifidget:

My GP clinic definitely took a copy of my passport a few years ago, even though I was a long time patient.

It was required due to some new regulation the Health Board brought in.

But my passport expired 3 weeks ago, so is that at least useless to them?

Mine also expired and has a different number now, but the photos, correctly spelled name and DOB are still there. This information could all be encrypted and only visible to authorities and their machines at airports.

I recall having to go to hospital and they asked for my passport and copied it. You can bet I won’t be allowing that again anywhere. They can look at it and verify but never giving my details for anyone to copy and keep again. The banks also demand passport. It’s very clear that no entity can be trusted anymore.

waikariboy

958 posts

Ultimate Geek
+1 received by user: 101

ID Verified

Trusted

#3449664 4-Jan-2026 17:11

freitasm:

waikariboy:

looking at this could you increase security limiting where from you can access these sorts of sites. Like, anywhere outside of NZ is blocked unless you enable something? i use cloudflare tunnels and i put on a firewall setting to limit access to only new zealand and aus.

This is counterproductive. New Zealand citizens still need access to their data while overseas, wherever they are.

understand this, and users can say enable option for access outside NZ. My thought was to limit the access to these sorts of sites from outside NZ and there by helping to increase security. yes hackers could bypass this with a simple VPN to new zealand.

Balm its gone!

freitasm

BDFL - Memuneh
80654 posts

Uber Geek
+1 received by user: 41050

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3449666 4-Jan-2026 17:12

Eva888:

kiwifidget:

My GP clinic definitely took a copy of my passport a few years ago, even though I was a long time patient.

It was required due to some new regulation the Health Board brought in.

But my passport expired 3 weeks ago, so is that at least useless to them?

Mine also expired and has a different number now, but the photos, correctly spelled name and DOB are still there. This information could all be encrypted and only visible to authorities and their machines at airports.

I recall having to go to hospital and they asked for my passport and copied it. You can bet I won’t be allowing that again anywhere. They can look at it and verify but never giving my details for anyone to copy and keep again. The banks also demand passport. It’s very clear that no entity can be trusted anymore.

Banks and lawyers are required by law to identify their clients.

I was never asked for a passport at a hospital or GP practice.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

geek3001

220 posts

Master Geek
+1 received by user: 331

ID Verified

Subscriber

#3449667 4-Jan-2026 17:28

freitasm:

Banks and lawyers are required by law to identify their clients.

Things may have changed however when I last completed AML formalities with my lawyer in 2019 (part of a large law practice), she was quite clear that she was required to take a copy of the passport photo page and signature page, stamp that copy with their standard 'Certified True Copy' stamp, and then retain that certified copy on their files.

If the practice was audited for AML compliance by the Dept of Justice, and could not show that they had performed the ID checks properly on a random sample of records, then they risked a full audit of ALL of their client files, with the loss of lawyer-client confidentiality on those files.

We are stuck with using our passport or drivers license for photo ID purposes.

That said, I am happy with leaving a copy of my passport in those circumstances where it's legally required.

I question those that say they need to retain a copy, versus them just needing to physically sight the document and then say they've seen it.

I believe that a medical practice / hospital would fall into the category of recording the fact that they sighted the document, they don't need to retain a copy of it.

I am very careful about any copy being taken of my legal signature, which includes the page opposite the photo page in a passport, lest that copy of my signature fraudulently find its way onto a document that I have never seen, that could be detrimental to me.

1 | ... | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | ... | 29