Yikes!
https://www.stuff.co.nz/nz-news/360942689/major-nz-health-app-breach-alive-patients-marked-deceased-names-changed-charlie-kirk
> An apparent hack of medication platform MediMap has led to some alive patients being marked as deceased, and others labelled as ‘Charlie Kirk’.
> The digital medication management platform MediMap widely used across New Zealand remains offline after some records were found to have been “incorrectly modified”.
@biddy_sue @felix @kyhwana @ThisCJ @oseiler @kyhwana
I received a reply from the Office of the Privacy Commissioner today — largely procedural. It feels like quiet discouragement from pursuing the matter. Shame I am not wired that way. 😂
I replied with compiled evidence of:
• Process compliance (complaints lodged with both organisations the same day as OPC)
• Good-faith patience (5+ weeks allowed)
• Documented non-response (no substantive technical answers)
I have asked the OPC to confirm my complaint is formally registered and considered for investigation. 😎
It should not require this level of persistence to trigger accountability — but here we are. Perhaps I am stubborn? 🤔
Information security in New Zealand's health system is like a Jenga tower according to Adam Burns of BlackVeil who profiled all relevant domains for misconfiguration following the catastrophic #ManageMyHealth data breach.
There's been a trickle of news about #ManageMyHealth, perhaps most significantly that the Privacy Commissioner is to do an inquiry:
Manage My Health data breach: Fraudsters attempting to contact customers
I suppose it's good to warn hack victims of potential exploits involving their data, but this PR from ManageMyHealth seems entirely speculative. The asterisks are mine.
"... fraudsters *could* now be attempting to contact its customers..."
"... people *might* now be sending spam or phishing emails that impersonate the company..."
"... secondary actors *may* impersonate MMH..."
More worrying is MMH saying it's "notified *most* of the people affected by the data breach" when it's been over three weeks since the hack was announced.
@biddy_sue @felix @kyhwana @ThisCJ
Here are some thoughts on the recent #managemyhealth announcement in Stuff today https://www.stuff.co.nz/nz-news/360927765/privacy-commissioner-launches-inquiry-manage-my-health-data-breach
Typically the Government's review focuses on response to the incident, not on why a privately-run patient portal handling sensitive health data had such poor security infrastructure in the first place.
That's classic bureaucratic risk avoidance: review the incident response (which they can control going forward) rather than the procurement/oversight decisions (which might expose systemic failures in how Health NZ contracts with private health IT providers).
The Privacy Commissioner inquiry is the mechanism that might actually examine whether the SPF/DMARC/DKIM/DNSSEC gaps identified constituted adequate security safeguards. The inquiry will determine whether appropriate security safeguards were in place and, if not, why not, plus what steps will prevent recurrence.
Have to wait for the Terms of reference due 28 January. That we tell us how serious this inquiry actually is.
@libroraptor NZ Privacy Commissioner announces inquiry into #ManageMyHealth #DataBreach and #privacy issues. Inquiry will also look at what steps will be taken to prevent such an incident happening again.
IMHO that should also include legal and policy settings and what actions by NZ Government and #HealthNZ are needed.
#NZpol
https://www.rnz.co.nz/news/national/584627/privacy-commissioner-announces-inquiry-into-manage-my-health-cybersecurity-breach
NZ Privacy Commissioner announces inquiry into #ManageMyHealth #DataBreach and #privacy issues. Inquiry will also look at what steps will be taken to prevent such an incident happening again.
IMHO that should also include legal and policy settings and what actions by NZ Government and #HealthNZ are needed.
#NZpol
https://www.rnz.co.nz/news/national/584627/privacy-commissioner-announces-inquiry-into-manage-my-health-cybersecurity-breach
The Privacy Commissioner is opening an inquiry into the Manage My Health cyber breach.
Guy
Peter Stone
zl2tod
bananabob 
🇺🇦 🇵🇸
Bob LeFridge 
Kay 
