Thousands of patients caught up in the ManageMyHealth ransomware attack could be at risk of identity theft or extortion, cyber security experts are warning.

The hackers, calling themselves "Kazu", posted on Sunday morning that unless the company paid a ransom within 48 hours, they would leak more than 400,000 files in their possession.

In a post on Telegram, the group purporting to be behind the breach said it had brought forward the deadline from 15 January in part because ManageMyHealth had responded faster than expected, but mainly to "put pressure on the company".

"Their ignorance of our emails and messages, along with their failure to acknowledge users or explain exactly what happened, is the main issue. Many MMH users have been asking the company for an explanation, but they've either ignored them or responded with vague statements."

Kazu said it had opted for a low-ball ransom demand of $60,000 "to protect the data and quickly close the deal".

"But it seems the company doesn't care about their users' data."

The hackers indicated they were prepared to leak the "valuable" data just to make a point.

"We know exactly how valuable health data is and how sensitive it can be.

"Even if the company doesn't pay the ransom, we can still find buyers for this data.

"To prove our claims and increase the chances of successful deals in the future, we decided to leak the data for free if they don't pay the ransom."

Kazu said they were "not a hacktivist group with political motives".

"We're doing this as a business. Our main goal is money and building a good reputation in the community."

The hackers claimed to have successfully extracted ransom money from many healthcare companies in Asia and Africa over the last two months.

"Once the company pays, we send them a copy of the data, delete it from our servers and never post anything related to the company again."

Patients at risk

Samples for potential "buyers" included clinical notes, lab results, vaccination records, medical photographs and personal identification details, including names, birth dates, addresses, emails and phone numbers.

IT consultant and Hornby community board member Cody Cooper was signed up to ManageMyHealth through his GP.

"My clinic has got 20,000 patients so there's a real push for online. It's seen as convenient, but patients don't have a lot of choice."

He went online to verify the veracity of the claims and was horrified by what he found.

"There's people's passports, there's people's ADHD documents from a psychiatrist, there's pictures of people unclothed. It's very personal data. And my concern as a patient would be, will someone blackmail people? Or try to extort them personally as well, if they don't pay up?"

From what had been made visible so far, it did not appear the data had been encrypted, Cooper said.

"You can infer this fairly safely because resetting passwords doesn't cause users to 'lose' their stored documents. If the data had been encrypted properly with keys tied to credentials, access would break when credentials change."

He also questioned why ManageMyHealth took so long to respond.

"The hack was published around 10pm on 29 December, the MMH website notice appeared on the afternoon of 31 December, but the site wasn't taken offline until that evening."

Furthermore, the company was taking too long to inform affected clinics and patients, he said.

"It should have been able to determine the extent of the breach relatively quickly. The fact that, days later there is no clear confirmation about what was accessed or copied is worrying."

However, there was no guarantee that giving in to the hackers' demands would solve the problem for MMH, he said.

"They may still release the data anyway, they may still contact people, we have no way of knowing if they will honour it.

"Furthermore, if that person is from a country with sanctions, there are laws and treaties that forbid that payment from being made legally as well."

Patients were just collateral damage, he said.

"I will personally probably look to close my account. I can't really have confidence in the system after this. Hopefully my clinic will find a solution that's better."

'Big wakeup call' - Health Minister

The Health Minister said the cyber breach of the country's largest patient information portal was a "big wakeup call".

Simeon Brown told Morning Report he was incredibly concerned.

"It's a deeply serious situation," he said.

"I've been briefed a number of times by health officials who are working very closely with ManageMyHealth in regard to the notification process."

He said ManageMyHealth was also working with the Privacy Commissioner and the National Cyber Security Centre, who were providing them with advice around the notification process.

Brown said his expectation was that they do it as quickly as possible, but they also had to do it accurately as well, and in compliance with the Privacy Act.

"There's a number of processes they have to go through. My expectation is that they do that as quickly as possible so that patients who have had data breached are aware of that and of what data has been breached," he said.

Brown said the advice he's received was that the cyber hackers had only released a very small portion of data as part of their attempt in order to receive a ransom payment.

There was a forensic process underway at the moment to go through and identify who's been impacted and then the process of notification, which is what Manage My Health was doing, he said.

Brown said the group were using hacked information in order to receive a financial reward, but they did not know where they were operating from.

"The reality is that here is a big wakeup call in terms of the protection of private health data and their need for that to be held in the most secure form possible so that patients can have confidence in how it is being used," he said.

Hackers building their 'brand'

Data journalist Keith Ng said the hackers appeared to be using ManageMyHealth to leverage a bigger payout from one of their other targets: Saudi Icon Ransom.

"They're implying they've got their hands full and don't want to be distracted by small fry here, that's their explanation for wanting this over quickly - and if they don't get their ransom they will release data for free."

For Kazu, it was an exercise in brand management.

"They want to establish themselves as a 'trustworthy' ransomware group. By that they mean 'If you pay us, we'll delete the data and you'll never hear from us again. If you don't pay us, bad things will happen to you'.

"So they want to build up their business and use the New Zealand dataset to make an example out of, so people will take them more seriously in the future."

Unfortunately, the ManageMyHealth breach was unlikely to be the result of a sophisticated hacking operation, Ng said.

"This is probably a couple of days work for a couple of people. It's not like an elite hacking crew, it's about volume and they want to make sure they've got targets on the hook all the time.

"They poke around and try to find common vulnerabilities, flaws, they're really looking for low hanging fruit - and if they don't find it, they move on quickly to the next target."

Over and above the technical question of which part of ManageMyHealth's system was not secure, the more important question was what processes it had in place, whether it was having regular independent security audits and taking action to fix the problems identified, he said.

"A business that sets itself up as a health information management system has a lot of incentive to do things right because when they fail, really catastrophic things like this happen, and it is an existential risk for them.

"So we should expect better from these businesses and the fact they let this one slip past them, they should be held accountable."

In its public statements, ManageMyHealth appeared to be trying to minimise the scale of the problem, Ng said.

"They're saying only 7 percent of users were affected, but 7 percent of 1.8 million is quite a big number. The other thing they've said is 'only one component' of the site is affected, not the core database. But it's the kind of things in there - medical photos, test results - which make it so sensitive and damaging for people who are affected.

"It's probably the worst data breach that I recall seeing in New Zealand so far."

Aura Information Security's Patrick Sharp said medical records were hugely valuable to criminals.

The Medibank ransomware attack in Australia in 2022 resulted in many thousands - "maybe even hundreds of thousands" of real financial crimes, he said.

"It's quite likely that the 126,000 or so people affected - depending on the kind of information involved - may suffer at the hands of criminal gangs, lots of scams, blackmail, those kind of things."

ManageMyHealth has been approached for comment.

Published by permission