Commissioner notes potential Privacy Act breach on security of personal information
Simeon Brown, health minister, has written the director-general of health to commission the Ministry of Health to lead a review, commencing by 30 January, concerning ManageMyHealth’s (MMH) and Health New Zealand’s response to MMH’s serious cybersecurity breach involving patient information.
MMH, a privately operated patient portal that stores medical information, enables some general practices in the country to share health information with their patients and allows patients to communicate with their health professionals.
“I know this breach will be very concerning to the many New Zealanders who use ManageMyHealth, and we need assurances around the protection and security of people’s health data,” Brown said in a news release. “Patient data is incredibly personal and whether it is held by a public agency or a private company, it must be protected to the highest of standards.”
According to the government’s news release, the review seeks to:
“While this review should commence as soon as possible, it is important that the focus continues to be on the immediate response to the incident and that we do not distract from this response,” Brown added. “An Incident Management Team has been meeting daily to coordinate advice and support across government agencies.”
In the meantime, he expressed his expectation for the Ministry of Health to develop terms of reference, in consultation with the government chief digital officer and the National Cyber Security Centre (NCSC), as well as a review process timeline.
According to Brown, Health New Zealand advised that:
“We must learn from this incident, to avoid any repeat events in the future,” he said in the government’s news release.
On 1 January, MMH notified the Office of the Privacy Commissioner (OPC) of the cybersecurity breach. MMH, the OPC, and other agencies have been collaborating to contain and investigate the breach’s size and scope and identify and alert the impacted individuals and entities.
“It's still early in the incident response process and our current focus is to support MMH and relevant health agencies in their response to the breach and notifying and supporting affected parties,” the OPC said in a statement.
The OPC expressed its expectations that MMH and other affected health agencies would be able to show the privacy commissioner:
The OPC’s statement emphasised that failing to take reasonable steps to:
According to the OPC, as its next steps in response to the breach, it will consider additional action as the Privacy Act regulator. It will likely investigate, given the incident’s scale and depending on MMH’s information:
In a news release, the NCSC noted that it knows about the data breach affecting some MMH users and has been working with Health NZ and other government agencies to respond to the incident.
