MediMap data accessed

Forums › Health and fitness › MediMap data accessed

sampler

468 posts

Ultimate Geek
+1 received by user: 126

ID Verified

Trusted

Lifetime subscriber

#324067 24-Feb-2026 13:16

Well in the latest NZ medical data breach ... Medimap as reported here on stuff -> https://www.stuff.co.nz/nz-news/360942689/major-nz-health-app-breach-alive-patients-marked-deceased-names-changed-charlie-kirk

Quick details from the news article

"[Medimap is] used by the aged care, disability, hospice, and community health sectors, MediMap is a real-time electronic charting system that allows staff to manage patient medication."

I can see some tighter requirements and guidelines for medical portals in the NZ space.

1 | 2

8931 posts

Uber Geek
+1 received by user: 5466

#3464019 24-Feb-2026 13:32

Here we go again.

Its getting to the point were these breaches of Private "data portals" is going to kill the sectors reputation, and likely result in some form of centralised HealthNZ managed system,

( I mean they are indirectly paying for most of it anyway)

MikeB4

MikeB4
18814 posts

Uber Geek
+1 received by user: 12850

ID Verified

Trusted

Subscriber

#3464026 24-Feb-2026 13:39

A centralised HealthNZ managed system would create a single point of failure, not sure if that would be a good solution. These providers need to get their act together with their cyber security.

Here is a crazy notion, lets give peace a chance.

MadEngineer

4644 posts

Uber Geek
+1 received by user: 2619

Trusted

#3464027 24-Feb-2026 13:41

I’m predicting a portal being created that requires proof of identity before deeper transactions with a website or websites can proceed. Akin to but not quite the extreme of a vpn browser plugin.

No sign in should mean no access to any sensitive systems whatsoever. We need laws to remove personal information from internet facing services.

You're not on Atlantis anymore, Duncan Idaho.

KiwiSurfer

1759 posts

Uber Geek
+1 received by user: 1022

ID Verified

Lifetime subscriber

#3464044 24-Feb-2026 14:45

MikeB4:

A centralised HealthNZ managed system would create a single point of failure, not sure if that would be a good solution. These providers need to get their act together with their cyber security.

Not like several points of failure is any better to be fair.

muppet

2681 posts

Uber Geek
+1 received by user: 1732

Trusted

#3464058 24-Feb-2026 15:32

I've got hemorrhoids.

(I'm just getting ahead of the data breach so I can go "hahah I already leaked that, losers")

Zigg

443 posts

Ultimate Geek
+1 received by user: 317

#3464101 24-Feb-2026 18:00

Back to filing cabinets and landlines!

Lego

Shop now for Lego sets and other gifts (affiliate link).

Beavis

171 posts

Master Geek
+1 received by user: 37

#3464102 24-Feb-2026 18:18

New Zealand health systems IT. Will they never learn/improve?

https://youtu.be/mS7Ss8kx_CA?si=SYl8h-_khhClPvDa

Beware of FUD...

mattwnz

20561 posts

Uber Geek
+1 received by user: 4822

#3464103 24-Feb-2026 18:19

Maybe they need to employ banks to setup these systems. Honestly I don't think a lot of this information should or needs to be online as there is always going to be a risk there.

MadEngineer

4644 posts

Uber Geek
+1 received by user: 2619

Trusted

#3464392 24-Feb-2026 21:44

MadEngineer:

I’m predicting a portal being created that requires proof of identity before deeper transactions with a website or websites can proceed. Akin to but not quite the extreme of a vpn browser plugin.

No sign in should mean no access to any sensitive systems whatsoever. We need laws to remove personal information from internet facing services.

The "Gold standard"

https://en.wikipedia.org/wiki/National_digital_identity_systems

You're not on Atlantis anymore, Duncan Idaho.

Bung

6768 posts

Uber Geek
+1 received by user: 2951

Subscriber

#3464404 24-Feb-2026 22:22

muppet:

I've got hemorrhoids.

(I'm just getting ahead of the data breach so I can go "hahah I already leaked that, losers")

So does everyone. Without them you'd be going "Oh crap I'm leaking that."

gzt

19011 posts

Uber Geek
+1 received by user: 8105

Lifetime subscriber

#3464411 24-Feb-2026 23:47

mattwnz: Maybe they need to employ banks to setup these systems.

Banks are just a well known example that everyone can relate to instantly. Bank systems are not the only secure systems. I recall most of the ground was covered in the previous thread. This is more or less the same thing, different company, with added bonus of data editing demonstrated, so worse.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

andrew75

150 posts

Master Geek
+1 received by user: 80

ID Verified

#3464437 25-Feb-2026 08:25

This is a clinical system with only username/password for security. Always going to be a recipe for disaster connected to the internet. They were lucky it was only demographic information changed and not prescriptions, that could have been very messy.

granada29

68 posts

Master Geek
+1 received by user: 57

#3464464 25-Feb-2026 09:33

According to MediMap, https://www.nzherald.co.nz/nz/medimap-director-says-hacker-corrupted-patient-details-after-stealing-user-login-credentials/FKM362YT7RD3TLHBGCKO7L4YBY/, the bad guy stole/misused the credentials of a single person. It's pretty hard to see how this resulted in the ability to change the details for other users of the system.

All these health portals should be subject to strict security audits on a regular schedule.

wellygary

8931 posts

Uber Geek
+1 received by user: 5466

#3464519 25-Feb-2026 10:03

granada29:

According to MediMap, https://www.nzherald.co.nz/nz/medimap-director-says-hacker-corrupted-patient-details-after-stealing-user-login-credentials/FKM362YT7RD3TLHBGCKO7L4YBY/, the bad guy stole/misused the credentials of a single person. It's pretty hard to see how this resulted in the ability to change the details for other users of the system.

Which is exactly the same story we were fed by Manage My health... But now they are splitting hairs saying "its wasn't a hack" because they came through the front door with a key...

TBH whether someone comes through your door with a key or not. but then rips the place up, you'd still call it a home invasion....

evnafets

570 posts

Ultimate Geek
+1 received by user: 275

Trusted

Lifetime subscriber

#3464523 25-Feb-2026 10:20

granada29:

According to MediMap, https://www.nzherald.co.nz/nz/medimap-director-says-hacker-corrupted-patient-details-after-stealing-user-login-credentials/FKM362YT7RD3TLHBGCKO7L4YBY/, the bad guy stole/misused the credentials of a single person. It's pretty hard to see how this resulted in the ability to change the details for other users of the system.

All these health portals should be subject to strict security audits on a regular schedule.

They obviously stole the credentials of a 'system user' - not a patient. Somebody with access to edit patient data, and then used that access to 'wreak havoc'.
And yes, 2FA would probably have stopped this 'attack' in its tracks.

So my basic questions

is there an audit log that has tracked the changes?
is there a 'backup' of the database from before the 'hacker' went on their spree?

Either of those would help with 'recovering' from this incident.

In terms of severity, I would term it low impact.

1 | 2