MMH cyber breach update

MMH cyber breach update

What happened?

Manage My Health (MMH) experienced a cyber event that impacted a limited feature of our platform to some of our users in New Zealand.

As soon as we became aware of unusual activity on our system, we took immediate steps to secure our platform, prevent any further unauthorised access and activate our incident response plan.  

We can confirm that the issue has been contained, the affected feature secured, and independent cyber security specialists have been engaged to investigate and confirm the impact.

What information has been impacted?

We want to remind you that the incident relates to documents stored in the My Health Documents section. This includes:

• Documents users uploaded themselves, such as correspondence, reports, or results
• Clinical documents, including hospital discharge summaries and clinical letters related to care received in Northland Te Tai Tokerau

This did not include GP clinical systems, live medical records, prescriptions, secure messaging or appointment systems.

What action has Manage My Health taken?

1, Notifications to affect individuals

We are committed to supporting impacted individuals and communicating transparently with any relevant information.

We are progressing through the notifications, with most of affected patients having now received a notification email. Our priority is to continue notifying the remaining affected patients and ensuring they receive appropriate support.

When we first identified the breach, our priority was to promptly inform all potentially affected patients. This approach was taken out of an abundance of caution and in the interest of transparency but resulted in some individuals being notified prematurely.

Our forensic investigation has since confirmed that certain individuals were not impacted, and we have updated them accordingly. Should you want more information on this, please log in to the Manage My Health web application to check your security status. If you see a green box at the top stating ‘No Impact,’ this confirms you were not affected by this cyber incident.

Completing the remaining notifications will take time due to the complexities of coordinating communications across different patient cohorts, relevant authorities and data controllers. This must be carried out securely and in full compliance with the New Zealand Privacy Act. We are engaged with appropriate authorities on this, including the Office of the Privacy Commissioner.

2. Legal & Injunction

We are taking every possible step to protect our clinics and their patients’ data. We have sought and been granted an interim injunction from the High Court to prevent any access, dissemination or publication of the impacted data by any third party.

Our teams are actively monitoring known data leak websites and we are ready to issue takedown notices immediately if any information is posted.

3. Agency and regulatory

We have notified and remain in close communication with the relevant agencies and regulatory bodies, including:

• Te Whatu Ora – Health New Zealand
• Office of the Privacy Commissioner (OPC)
• National Security Cyber Centre (NCSC)
• New Zealand Police

We remain committed to full transparency and a coordinated, collaborative response, working closely with all relevant parties to ensure compliance with regulatory, sector, and legal obligations

4. Containment and ongoing monitoring

In response to the incident, MMH has taken several actions to contain and address the situation:

• Containment: Our forensic investigation experts have confirmed that the incident has been contained and the affected feature on the platform secured.
• Account credentials remediation: Account credentials associated with the unauthorised access have been remediated.
• Module disabling: The Health Documents module within MMH was temporarily disabled to facilitate vulnerability remediation.
• Vulnerability testing: Comprehensive testing has confirmed the vulnerability is no longer present in the platform.
• Ongoing monitoring: Continuous monitoring is in place to maintain security while simultaneously strengthening and upgrading our security and data protection systems.
• Independent forensic investigation: A specialist cybersecurity firm is conducting an independent forensic investigation, which is still in progress. As this investigation continues, we are unable to comment on specific technical findings at this time.

We’re also aware that secondary actors may impersonate MHH and send spam or phishing emails to prompt engagement. These communications are not from MHH. We’re investigating steps to limit this activity and have included guidance below on how to protect yourself below.

What steps can you take to protect your information?

For more information on available support, please refer to the following:

• Email support: Any questions can be directed to [email protected]
• IDCARE phone support: MMH has partnered with IDCARE, Australia and New Zealand’s identity and cyber support service. IDCARE provides free, confidential support for identity misuse or compromise at 0800 121 068.
• FAQs: Visit our FAQs page for answers to common questions: https://managemyhealth.co.nz/faqs-cyber-breach/#faqs
• General resources: Please find additional general resources on identity and cyber security support here:
  • https://www.privacy.org.nz/your-rights/your-privacy-rights/
  • https://www.idcare.org/
  • https://netsafe.org.nz/online-safety-at-home/how-to-choose-a-good-password
  • https://www.ownyouronline.govt.nz/personal/get-protected/

We take the privacy of our clients and staff very seriously and we sincerely apologise for any concern or inconvenience this incident may have caused.

We would like to thank you for your understanding and ongoing support as we work to resolve this as swiftly as possible.