The hack affected 99,146 patients with information in MMH patient portals (lower than initial estimates which suggested more than 126,000 people were impacted).
Privacy commissioner Michael Webster, in his first phase inquiry report, said it was one of New Zealand’s largest known breaches of sensitive personal information, and one which caused serious distress to many of those affected.
His report was one of three on the breach released last week, the others commissioned by the Ministry of Health and Te Whatu Ora Health New Zealand.
All painted a grim picture of shortcomings in security.
In recent years, the Ministry of Health has actively encouraged the use of patient portals in the health system.
While MMH is not the only private portal provider, at the time of the hack it was the largest with 1.8 million registered users.
The online portals allow patients to communicate with their healthcare providers, including to book appointments, request repeat prescriptions, receive laboratory results, and share clinical notes.
Mr Webster says done well the portals can enhance privacy by providing patients better access to and control of their own information. They can also improve efficiency. But all the investigations into this incident suggest there has been a set and forget approach to security.
Mr Webster found MMH, an organisation whose whole business involves handling and storing sensitive information, and HNZ, failed in their responsibilities to have reasonable security safeguards in place.
Although both organisations have taken steps to improve practices since, Mr Webster issued them with compliance notices to ensure they can demonstrate they are now compliant with the Health Information Privacy Code.
Most affected patients were in Northland where HNZ had a well-intentioned pilot programme to share discharge summaries with patients using the MMH patient portal. This later expanded to include e-referrals and laboratory test results.
Patients were actively encouraged to sign up to MMH, but cyber security and privacy requirements were not defined in detail within the MMH-HNZ contracts or by the initial project. There was a reliance by HNZ on MMH’s systems rather than taking an independent view of the situation.
Such confidence was misplaced, with Mr Webster identifying multiple issues with MMH security systems, including inadequate security testing and poor data leak protection. It was HNZ which alerted MMH to the hack because MMH systems did not pick it up.
An active project steering group lacked direct privacy or security representation, nor could Mr Webster find evidence the project team received advice from internal privacy or security specialists early enough to properly inform the project design.
It is perhaps telling HNZ was unable to contact many former staff to check this question. Was this lack of institutional knowledge related to the recent controversy over cuts to Information Technology staff at HNZ?
There must be staffing questions linked to the Budget allocation of $153.6 million to HNZ to expand national cyber security monitoring, strengthen data security processes and deliver critical IT safety upgrades across the health system.
Health Minister Simeon Brown said in the next year, HNZ will implement a programme to identify and manage cyber risks posed by third-party vendors and systems, strengthen accountability for fixing security risks, introduce annual audits of critical systems, and use scalable tools, including AI-enabled assessments, to improve cyber security maturity across primary care.
He is expected to receive advice from the Ministry of Health this month on policy around regulations and law around the management, storage and protection of information. This will include looking at the development of an accreditation framework for organisations such as portal providers with access to personal health information who supply services to the health system.
Mr Webster expects to publish his second phase report later in the year too. It will include examining whether patients were properly asked for authorisation before MMH accounts were set up for them, if they got adequate information about the portals, and how information was retained and deleted. All these issues are important beyond HNZ and MMH. Now the spotlight is on them, the impetus for improvement must continue apace.
