Netsafe is warning people to be extra cautious with emails they receive, including their private information, as hackers threaten to release more than 400,000 stolen health documents.
Patient portal Manage My Health is the largest in New Zealand and used by general practices to relay information and dispatch subscriptions. It was hacked last week.
A deadline given by hackers Kazu demanding $104,000 ($US 60,000) for the stolen files had been set for about 5am today, but no further data has been released.
Unverified reports now appear to put the new deadline at 5am on Friday.
Manage My Health said late yesterday that the ransom demand was a matter for police and it would not be making any comment about a ransom while an investigation was ongoing.
The platform apologised for pain and anxiety caused to health providers and patients, and acknowledged it could have communicated better.
"However, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients."
It said it would publish daily updates with all the information it could share.
RNZ has approached police for comment.
Netsafe warning for portal users
Netsafe is warning people to be extra cautious with emails they receive including their private information.
Manage My Health has identified general practices whose patients have had their private health information breached, but it is not yet clear when the patients will be told.
Netsafe chief online safety officer Sean Lyons said it is difficult to know what to watch out for while it is unclear what has been stolen. However, people should have a "raised level of suspicion" about any communication containing their private data.
"Even names, addresses, dates of birth, family members, we hear talk about maybe even scans of passport details."
Hackers could include that information in an email and claim to be their GP, Manage My Health, or another agency, Lyons said.
"So that kind of ... 'I must know who you are because I hold your NHI number, or I know your address and date of birth, therefore I must be from the agency that I say I am'," he said.
"So it really is being extra cautious around anything that contains your personal information and asking for more, for money, for more information."
Lyons said dodgy emails may also apply pressure on people including giving deadlines for a response or payment, or threatening people that they were at risk of prosecution or breaking a law.
"Don't give in to that pressure, contact the agency that somebody says they're from directly, don't use any of the communication methods, numbers, email addresses, whatever that they give you."
People could also contact Netsafe for advice if they are unsure, he said.
Anyone who Manage My Health says has been affected by the data breach has the right to ask the company for more information, Lyons said.
"It's important that we know what it is that we should be looking out for, to what extent that information of ours has been breached, and what we might need to do to ... shore up our privacy position based on it."
Minister orders urgent review
Health Minister Simeon Brown has announced an urgent review into the breach and said the government had a long-standing position that ransoms should not be paid.
The minister said he had raised communication with the platform.
"I spoke to the CEO last week, made my expectations incredibly clear around the need for Manage My Health to be clear and transparent with its communications to the public and its users and to work closely with agencies and to make sure that they are following their advice," he told RNZ.
Brown described the data disappearing as "pretty unacceptable".
Manage My Health welcomed the review. It said its international team was monitoring known data leak websites and was prepared to issue takedown notices immediately if any stolen information was posted.
It had also obtained a High Court injunction preventing third parties from accessing data posted as a result of the cyber attack.
The High Court in Wellington has confirmed to RNZ it received an application for an injunction.
"I don't know how they're going to come back from this, it's a bit tough," he said.
"For me it's really, really disappointing that basic cyber security has not been taken seriously.
"From my perspective, health data is right up there with financial data, some of the most critical data that needs to be protected.
"It's just very, very disappointing and a little bit shocking as an IT professional to hear that this has happened".
Will ransom be paid?
While Manage My Health would not be drawn on the ransom, a former intelligence officer said in general they should not be paid.
Antony Grasso had also worked at the Government Communications Headquarters (GCHQ), the United Kingdom's intelligence, security and cyber agency.
He himself was a Manage My Health user.
"I personally would advise not to, even if it was my own data that was going to get released, which it may be," he said.
"It's a tough call without giving the full context but the general rule is not to pay the ransom, that's the general rule.
"I mean, you're bargaining with effectively criminals or thieves, and there's no honour amongst thieves, we know that, and they may release it anyway and it also means we're a soft touch."
Grasso said he had not seen Manage My Health take many tangible actions after the breach.
"You know, just as a general bod on the street, I don't feel like they will necessarily have had a good plan for the response," he said.
"I haven't seen a lot of transparency and I haven't seen a lot of action that I would expect for a company that's holding that much private information."
Grasso hoped security companies used by the platform would be dumped and have nothing to do with it in the future.
"Because clearly, somebody's dropped the ball."
'Rumours for some time' - Deputy Privacy Commissioner
Deputy Privacy Commissioner Liz MacPherson told RNZ she believed issues had surfaced in the past.
"As I understand it there have been rumours for some time but the issue we've got is that there are white knight hackers and others out there who do raise these issues, quite often it's very difficult to know whether these people are actually hackers themselves or whether they are white knights, so it's difficult to police," she said.
A white knight is a hacker who acts with good intentions to get vulnerabilities fixed.
"So as I understand it, these issues have been drawn to Manage My Health in the past and I think to some media outlets as well," MacPherson said.
She said the Office was irked by widespread complacency around cyber security.
"The frustration for us at the Office of the Privacy Commissioner is that we continue to see complacency from, and this is across the board... a continuation of the 'it'll happen to somebody else, not to me' type approach," she said.
"And you have to ask the question, is the lack of a penalty regime part of that?"
MacPherson said fines in Australia used to be around $3.3 million but had risen significantly.
"So the major breaches risk fines of up to greater than $50m AUD, which is three times the financial gain from the breach, or 30 percent of the company's turnover.
"I guess what I'm saying to you is that we didn't even have the lower level fines that they had, which were around 2 to $3 million," she said.
"We don't have any penalties, we do not have a civil penalty rating."
