While many of us might not care who knows if we have athlete’s foot or an ingrown toenail, matters of sexual or mental health are not what we would want to see published or shouted from the rooftops.
Even the famous, who may be used to personal information about them becoming public, have aspects of their health they want to keep to themselves.
In recent time we have had the instances of the Princess of Wales and King Charles both referring to their cancer treatments, but choosing not to reveal the type of cancer involved.
Princess or pauper, we want those we give access to our health information to keep it securely and, should there be a breach of that security, to act quickly both to limit the scope of the breach and keep us well informed about what is happening.
The response to this week’s cyber security breach of privately owned Manage My Health (MMH) has not been good enough.
As many as 126,000 New Zealanders, among the 1.8 million of us who use the online patient portal, understood to be the largest one in the country, may have been caught up in the breach.
The patient portals allow communication with healthcare providers and can be used to schedule appointments, request repeat prescriptions, receive laboratory results, and access medical records.
Those who use the system would expect its security to be top-notch.
But there has already been criticism from at least one cyber security expert, Daniel Ayers, the encryption protocol being used was not the latest version, something he would have expected from a site which took its information technology security seriously.
He considered the breach was large by international standards and went as far as saying it was catastrophic on the New Zealand scale.
It is understood the hackers claim 428,000 files were involved, totalling 108 gigabytes and are seeking $60,000 US ransom to be paid by January 15.
Manage My Health has not moved fast enough to properly communicate with those who use its services.
Although it found out about the breach some time on December 31, it was not until the afternoon of January 1 it issued a press release.
Earlier, it had put a nebulous statement on its website (not dated as far as we could tell) advising it had identified a cyber security incident involving unauthorised access to our system, that it was investigating and ‘‘containment steps had been taken’’.
Late on New Year’s Day it had produced some frequently asked questions on its website, but what is involved is as clear as mud.
By yesterday afternoon MMH said preliminary findings indicated a specific group of documents were involved. Which documents?
It also said there was no evidence yet the core patient database was accessed, or that data had been modified or destroyed within the system, nor any access to user credentials.
In the company’s January 1 statement, we were told the Privacy Commissioner had been notified and was working with MMH, but there is no reference to that on the commissioner’s website.
We would have expected the commissioner’s office to have some skeleton staff coverage to provide some public communication, despite it being holiday time.
Some general practitioners have complained about MMH’s lack of communication with them, and the company was only to start contacting affected patients four days after MMH found out about the breach.
We understand these matters are complex, but we would be surprised if the company could not have moved faster to let all its portal users know directly about the breach, what it might involve, and what it was doing about it.
In the days ahead it will have much to do to reassure patients and restore confidence what it provides involves best practice.
