By Ruth Hill of RNZ

Thousands of patients caught up in the ManageMyHealth ransomware attack could be at risk of identity theft or extortion, cyber security experts are warning.

The hackers, calling themselves “Kazu”, posted on Sunday morning that unless the company paid a ransom within 48 hours, they would leak more than 400,000 files in their possession.

In a post on Telegram, the group purporting to be behind the breach said it had brought forward the deadline from January 15 in part because ManageMyHealth had responded faster than expected, but mainly to “put pressure on the company”.

“Their ignorance of our emails and messages, along with their failure to acknowledge users or explain exactly what happened, is the main issue. Many MMH users have been asking the company for an explanation, but they’ve either ignored them or responded with vague statements.”

Kazu said it had opted for a low-ball ransom demand of $60,000 “to protect the data and quickly close the deal”.

“But it seems the company doesn’t care about their users’ data.”

The hackers indicated they were prepared to leak the “valuable” data just to make a point.

“We know exactly how valuable health data is and how sensitive it can be.

“Even if the company doesn’t pay the ransom, we can still find buyers for this data.

“To prove our claims and increase the chances of successful deals in the future, we decided to leak the data for free if they don’t pay the ransom.”

Kazu said they were “not a hacktivist group with political motives”.

“We’re doing this as a business. Our main goal is money and building a good reputation in the community.”

The hackers claimed to have successfully extracted ransom money from many healthcare companies in Asia and Africa over the past two months.

“Once the company pays, we send them a copy of the data, delete it from our servers and never post anything related to the company again.”

Patients at risk

Samples for potential “buyers” included clinical notes, lab results, vaccination records, medical photographs and personal identification details, including names, birth dates, addresses, emails and phone numbers.

IT consultant and Hornby community board member Cody Cooper was signed up to ManageMyHealth through his GP.

“My clinic has got 20,000 patients so there’s a real push for online. It’s seen as convenient, but patients don’t have a lot of choice.”

He went online to verify the veracity of the claims and was horrified by what he found.

“There’s people’s passports, there’s people’s ADHD documents from a psychiatrist, there’s pictures of people unclothed. It’s very personal data. And my concern as a patient would be, will someone blackmail people? Or try to extort them personally as well, if they don’t pay up?”

He also questioned why ManageMyHealth took so long to respond.

“The hack was published around 10pm on December 29, the MMH website notice appeared on the afternoon of December 31, but the site wasn’t taken offline until that evening.”

Furthermore, the company was taking too long to inform affected clinics and patients, he said.

“It should have been able to determine the extent of the breach relatively quickly. The fact that, days later there is no clear confirmation about what was accessed or copied is worrying.”

However, there was no guarantee that giving in to the hackers’ demands would solve the problem for MMH, he said.

“They may still release the data anyway, they may still contact people, we have no way of knowing if they will honour it.

“Furthermore, if that person is from a country with sanctions, there are laws and treaties that forbid that payment from being made legally as well.”

Patients were just collateral damage, he said.

“I will personally probably look to close my account. I can’t really have confidence in the system after this. Hopefully my clinic will find a solution that’s better.”

Hackers building their ‘brand’

Data journalist Keith Ng said the hackers appeared to be using ManageMyHealth to leverage a bigger payout from one of their other targets: Saudi Icon Ransom.

“They’re implying they’ve got their hands full and don’t want to be distracted by small fry here, that’s their explanation for wanting this over quickly – and if they don’t get their ransom they will release data for free.”

For Kazu, it was an exercise in brand management.

“They want to establish themselves as a ‘trustworthy’ ransomware group. By that they mean ‘If you pay us, we’ll delete the data and you’ll never hear from us again. If you don’t pay us, bad things will happen to you’.

“So they want to build up their business and use the New Zealand dataset to make an example out of, so people will take them more seriously in the future.”

Unfortunately, the ManageMyHealth breach was unlikely to be the result of a sophisticated hacking operation, Ng said.

“This is probably a couple of days’ work for a couple of people. It’s not like an elite hacking crew, it’s about volume and they want to make sure they’ve got targets on the hook all the time.

“They poke around and try to find common vulnerabilities, flaws, they’re really looking for low hanging fruit - and if they don’t find it, they move on quickly to the next target.”

Over and above the technical question of which part of ManageMyHealth’s system was not secure, the more important question was what processes it had in place, whether it was having regular independent security audits and taking action to fix the problems identified, he said.

“A business that sets itself up as a health information management system has a lot of incentive to do things right because when they fail, really catastrophic things like this happen, and it is an existential risk for them.

“So we should expect better from these businesses and the fact they let this one slip past them, they should be held accountable.”

In its public statements, ManageMyHealth appeared to be trying to minimise the scale of the problem, Ng said.

“They’re saying only 7% of users were affected, but 7% of 1.8 million is quite a big number. The other thing they’ve said is ‘only one component’ of the site is affected, not the core database. But it’s the kind of things in there – medical photos, test results – which make it so sensitive and damaging for people who are affected.

“It’s probably the worst data breach that I recall seeing in New Zealand so far.”

Aura Information Security’s Patrick Sharp said medical records were hugely valuable to criminals.

The Medibank ransomware attack in Australia in 2022 resulted in many thousands – “maybe even hundreds of thousands” of real financial crimes, he said.

“It’s quite likely that the 126,000 or so people affected – depending on the kind of information involved – may suffer at the hands of criminal gangs, lots of scams, blackmail, those kind of things.”

ManageMyHealth has been approached for comment.