People whose GPs no longer use Manage My Health may still have had their historical data hacked.

Hackers are threatening to release 400,000 files from 120,000 patients, if the health portal does not pay a US$60,000 (NZ$103,000) ransom.

Manage My Health has begun telling general practices whether their patients have been affected, and it is working on telling individual patients via a Privacy Act notification.

A number of people have told RNZ their GP had previously switched from Manage My Health to another platform, but they can still log in to Manage My Health and see their information there.

Manage My Health chief executive Vino Ramayah confirmed the company holds on to records unless a patient cancels their account.

It was up to patients to cancel their account, not their GP, he said.

"When... a practice leaves Manage My Health, the patients have a choice to continue to use Manage My Health or they can close the application, in which case we will delete the data," he said.

"It's essentially patient data - we need their consent because we'll be wiping out a lot of their historical data, so that is why it is stored."

People can use the platform privately - they do not need to use it through their GP, he said.

Ramayah said people should have "a level of personal diligence" with their Manage My Health accounts. Users should change their passwords regularly, and use two-factor authentication, he said.

"I would encourage everyone to consider security as a very key part of your thinking, especially when you put sensitive information in an application, irrespective of whether it's Manage My Health or... any other healthcare app."

How long should medical records be kept for?

The privacy commissioner's website said health agencies should not keep medical information for any longer than they have a lawful purpose for using it.

"The Health (Retention of Health Information) Regulations 1996 say that health agencies must keep any health records they hold for a patient for 10 years from the last time they provided services to that patient.

"However, this requirement doesn't apply if the health agency has transferred the files to a new healthcare provider or if they have given the complete file to the patient (or, if the patient has died, to the patient's executor)."

Informing affected patients, GPs

Manage My Health said on Tuesday it was beginning to tell GPs whether their patients were caught up in the breach.

It said affected GPs could log in to a portal to see which patients had their data stolen and what records were taken.

It would also inform practices that no longer use Manage My Health, and it was working on notifying affected patients.

"The Privacy Act requires individuals to be notified when their information has been accessed in an unauthorised way," it said.

"[Manage My Health] is taking on this responsibility on behalf of the practices, to which the information is being provided so that practices can provide support after individuals have been notified.

"Privacy Act notifications will go to practices through Manage My Health, together with details of how more information and support can be accessed."

Manage My Health would also establish an 0800 helpline for impacted patients, it said.

Published by permission