Health Minister Simeon Brown commissioned the Ministry of Health yesterday to review the response to the ManageMyHealth cybersecurity breach, and WellSouth chief executive Andrew Swanson-Dobbs said the sharing of health information was a knock to public confidence.
The ManageMyHealth portal is used by general practices to relay information and dispatch subscriptions. It was hacked last week and the company said on Thursday up to 7% of its roughly 1.8 million registered users might have been affected - about 126,000 people. The day before it claimed it had the attack under control.
The hackers on Sunday threatened to leak more than 400,000 files unless the company paid them $US60,000 ($NZ104,000) by today.
However, it was being reported this afternoon the deadline could now be Friday.
The company yesterday was granted an injunction in the High Court to deny patient data being used publicly, the Post reported.
Mr Swanson-Dobbs said late yesterday general practices in the South had been told by the company which patients had been affected.
WellSouth expected to be contacted with more information last night.
He had earlier said he understood most of those affected were in Northland.
"But the biggest concern is the need to restore public confidence in sharing their health information on portals. It’s a great tool for practices, for interaction with patients and it’s a real concern that this breach has occurred."
He said it was too late now to say the fault had been fixed.
"If there was a fault known, it should have been fixed, and it is really concerning. I look forward to the minister’s review, and we look forward to understanding why this occurred.
"People share all their banking information, and that’s never been breached. More sensitive is their health information, and this should never have been breached."
Practices relied on having a good relationship and sharing information with their patients and portals were a great tool.
He said practice managers had been contacted by patients asking whether their information was safe or wanting to get their information out of the portal.
"But what we want to do is restore confidence in the use of portals, and I think the investigation into the reasons why needed to be done quickly.
"But it should not have occurred.
This company should have protected patient information.
"When you saw the headlines in the weekend that they fixed the known fault, I want to know what that means. I think there are more questions than answers so far.
"How do we restore public confidence in the use of portals? And the only way to do that is to do this investigation and find out why this private company failed to protect patient information.
"It has been a complete failure."
Police and the privacy commissioner were involved but he could not comment on whether a prosecution was possible, Mr Swanson-Dobbs said.
Mr Brown told media yesterday the ministry was taking the breach very seriously.
"People who hold data are responsible for that," he said.
Health data was among the most personal information and needed to be better protected.
"We need to do better," he said.
"I think what’s happened here is unacceptable and we need to make sure we get to the bottom of this."
He said those who were behind the attack were criminals, and the government’s approach and advice was that people not pay.
The important thing right now for the government was to be supporting the company to curb the risk and effects of the attack.
The minister has written to the director-general of health asking for the review to start by the end of the month.
The letter set out that the review should begin as soon as possible, but noted it was "important that the review does not distract from the immediate response to the incident".
— Additional reporting RNZ
