The figures come from the Privacy Commission’s findings, released yesterday, into the nature of the breach and who should be held responsible for it.
It found that:
• Manage My Health had several key gaps in security that allowed the attack to happen.
• It failed to have systems in place that would detect that large amounts of information were being accessed, so that steps could be taken to interrupt the hacker before so much information was stolen.
• The inquiry also raised questions about the quality of Manage My Health’s overall approach to security design, as well as the quality of its risk management practices.
WellSouth Primary Health Network chief operating officer Damon Campbell said the findings were important.
‘‘Not only was the Manage My Health breach preventable, but it found that GP practices were not the source of the breach and could not have prevented it.
‘‘During the crisis response we advocated strongly for this position.’’
Mr Campbell said nearly 100,000 New Zealanders had their sensitive health information stolen, including many hundreds of affected patients in Otago and Southland.
‘‘Yet our general practices largely bore the brunt of this crisis.
‘‘Everyone in the health sector has a responsibility to safeguard patient information, including general practice.
‘‘However, practices trusted Manage My Health and Health New Zealand [HNZ] to have adequate protections in place, and that trust was misplaced.’’
The commissioner recommended that patient health portal providers be verified and approved centrally, and practice teams should be able to focus on their core role: supporting the health and wellbeing of their patients.
Third-party digital health providers such as Manage My Health need to be held to the same standards as the health agencies they serve, but HNZ also failed to uphold security obligations under the Health Information Privacy Code.
‘‘We therefore welcome the commissioner's intention to issue formal compliance notices to both organisations,’’ Mr Campbell said.
‘‘Described in the report as ‘the strongest tool currently available’, these notices will require both parties to demonstrate that the necessary changes have been made and are working.
‘‘The systemic lesson here is one the sector needs to take seriously: digital innovation in health is vital, but it cannot outpace the privacy and security frameworks that protect people.’’
HNZ's formal response plan will be published in July, setting out the way forward with regular reporting to the board and relevant agencies.
‘‘We will continue to track both the regulatory response and phase two as they unfold.’’
