One of more than 350 GP practices across New Zealand affected by a cyber security breach late last year, it announced last Friday it had given MMH 90 days’ notice of terminating its contract.
Light tells Mountain Scene the breach was a "criminal activity and highly complex", but it’s been frustrated by MMH’s "unclear communication to our patients" since the incident.
"That frustration’s led us to looking for a better solution in the long term.
"There are some good alternative providers out there, and one of our key priorities is to ensure their data storage and cyber security is highly graded."
It’s now doing due diligence on the alternative providers and will have a new contract in place by April 9.
A hacker or group of hackers known as ‘Kazu’ accessed or downloaded hundreds of thousands of files from MMH — NZ’s largest patient health information portal — on December 29, then demanded a US$60,000 (about NZ$100,000) ransom from the company.
Light says some patients have contacted QMC to say they’ve been affected, but he doesn’t know how many are in the same boat because MMH is only informing its users directly.
Meanwhile, QMC is sharing all the information it receives on the unfolding situation on its website.
"We don’t know any more than the patients, and what we’re reading in the media."
Patients can check whether their personal data has been affected by logging into the MMH app or website, he says.
They can also get their data deleted by closing their account with MMH.
"We’re leaving it up to patients to make their own decision on that, we can’t do that on their behalf."
Although QMC is no longer adding consultation notes and lab results to the MMH database, its patients can continue using the portal — to book appointments, order prescriptions and message their GP — if they want to, he says.
MMH, which has been granted a High Court injunction preventing anyone from accessing or sharing the stolen data, says the breach affected 6-7% of the 1.8million users of its app’s ‘My Health Documents’ module.
Live medical records, GP notes, specialist referral documents, prescriptions, secure messaging and appointment systems were not accessed or affected, the company says.
The NZ-owned company, established in 2008, also operates in Australia and India.
