Manage My Health, primarily used as a GP Patient portal was hacked on and data was stolen relating to a large number of New Zealanders. What do we know so far?
29th Decemeber Manage My Health had a data breach where data was stolen. Manage My Health is the Patient web portal component of Medtech Evolution/Medtech Cloud (evolution being the evolution of medtech from medtech 32 which was for many years the predominant practice management system for GPs). Medtech Evolution has the largest share of the GP clinics in New Zealand. Its developers are mostly based in India.
In 2020 Medtech Global was sold by Vino Ramayah to Acclivis Group and at the same time spun out Manage My Health of which he is an owner and CEO.
Manage My Health contracts (and payments) are via the Medical Practices so it is unclear where the lines of communication should lie. Should Manage My Health be going direct to the user or via the Medical Practice? When a patient leaves a Medical Patient should the patients data be removed?
The data was stolen by a fairly new group called Kazu. The ransom is quite low at $60,000 and the group will likely honor a ransom payment to built trust for future payments. i.e. another ransom payment they are currently waiting for is $400,000 from a Middle East company, so they would be silly to ruin the reputation over a $60,000 payment (as much as a reputation that a criminal group can have).
According to Manage My Health, the data relates to Health Documents for 126,000 individuals. What Health documents usually are, are objects which would have been letters years ago or email PDFs now, i.e. discharge summaries, referral letters, photos, scanned documents. It is not small items (events) such as blood pressure readings, DOB, phone number, weight results, allergies or other items your GP notes down when you have an appointment.
According to Kazu they have 400,000+ objects/documents, which should relate to the 126,000 patients.
Manage My Health is a private company, they are not part of Health New Zealand/Te Whatu Ora, though it is likely a lot of the documents taken originated from Health New Zealand departments.
In a telegram exchange between Kazu and a member of the public, Kazu stated that he was able to exploit the system due to weak access control.
Manage My Healths application for a court injunction mentions “This involved abnormally high-frequency login activity with repeated authentication attempts and the use of rotating IP addresses to hide the source of attack” which doesnt line up with the theory an API with weak access controls was exploited by a single logged in account unless Kazu first attempted a brute force attack to get access or somehow managed to login with 127,000 different accounts.
A large number of Northland General Practices were impacted in the breach. Northland was an early adopter of Manage My Health patient portal which may be the reason why they were so heavily impacted.
355 impacted Medical Practices were mentioned in this article. It is unclear if the practices were users of Manage My Health or sent referrals to practices which were.
We do not know how many ‘instances’ of Manage My Health were affected. An instance could be a GP practice or an Allied Health practioner.
It is ‘likely’ (not definite) that an API which surfaces components of data in Manage My Health had a weakness that Kazu exploited. Somehow they knew how to enumerate through large numbers of users and documents. So either the API had functionality which gave lists of patients and documents or they had easily guessed ID numbers such as an incrementing number as opposed to a random UUID i.e. 001,002,003. Files observed by people posting have had non sequential filenames (i.e. standard file names) so it would suggest a functionality to request a patients health documents occured.
It is unlikely the fact the website supported TLS 1.2 had any bearing on the event as reported by some so called Cyber Security experts. It is common for TLS 1.2 to remain supported to allow for users who cannot afford new devices to still use websites. This is major requirement in Health to provide equity for users from low socio economic or aging demographics.
Manage My health did not have appropriate monitoring in place to prevent or detect mass abuse of their API.
Users MFA has no bearing in the incident. It is good practice to set it up and rest your password but there is nothing to suggest having it in place would have protected anyone.
The Minister of Health, Simeon Brown has requested the Minstry of Health undertake a review of Manage My Health and Health New Zealands response.
While I would normally do everything and anything in my power to never pay a ransom payment and recover or ride out the ramifications of public disclosure, in this case at such a low figure of $60,000 I would recommend it be paid to quickly extinguish the incident, protect the mental health wellbeing of the patients then move to investing some money to prevent an occurance ever again. Currently Manage My Health have spent a lot more on their poor response, suffered major trust issues with their user base and have a lot more pain to come.
