Imagine your most sensitive health information—details you trust only with your doctor—falling into the wrong hands. That’s exactly what happened to 127,000 New Zealanders when Manage My Health, a platform holding over 430,000 documents, was hit by a ransomware attack. But here’s where it gets even more alarming: cybersecurity experts claim the company ignored warnings about its lax security system years before the breach. And this is the part most people miss: the lack of government regulation, fueled by industry lobbying against 'red tape,' left the door wide open for such vulnerabilities.
Dr. Abhinav Chopra, a cybersecurity expert from Auckland University, first flagged these issues two years ago. He discovered gaping holes in Manage My Health’s system while investigating why his own health records were still stored there after his GP switched providers. In a detailed email to his GP, the company, and eventually the Privacy Commission, he highlighted critical flaws: no multi-factor authentication, unencrypted files accessible to multiple administrators, and more. His warning? Ignored. But here’s the controversial part: Chopra suggests the company might have a financial incentive to hold onto patient data, as their website boasts a database of 1.8 million Kiwis and the ability to target users with health-related messages. Is this about patient care—or profit?
A Wellington IT worker, caught in the breach, echoed Chopra’s concerns. She pointed out the stark contrast between how financial institutions and health platforms are regulated. Think about it: if your banking app crashes, it’s a major issue, scrutinized heavily. Yet, health platforms holding equally sensitive data operate with far less oversight. Worse, Manage My Health’s terms and conditions essentially absolve them of responsibility, stating they can’t guarantee their system’s security—even if they’re aware of vulnerabilities. It’s like saying, 'Our product might fail, but hey, give it a shot.'
Callum McMenamin, another expert who warned the company six months ago, criticizes the 300-page Health Information Security Framework as a 'high trust' system. The government sets standards but doesn’t enforce them, leaving companies to self-regulate. Political analyst Bryce Edwards argues this isn’t an oversight—it’s the result of industry lobbying. The Digital Health Association, representing health software vendors, has repeatedly pushed back against stricter privacy laws, calling them 'burdensome.' Meanwhile, successive governments have ignored calls for stronger penalties, like those in Australia, where companies face multi-million-dollar fines for breaches.
But here’s where it gets controversial: The Digital Health Association claims they’ve always advocated for 'better' regulation, not less. Their CEO, Stella Ward, insists their issue was with the Therapeutic Products Act’s lack of clarity, not its intent. She argues that stronger penalties alone won’t prevent breaches—what’s needed is a clear, consistent regulatory framework. Yet, critics counter that without penalties, companies lack the incentive to prioritize security.
Health NZ, while placing responsibility on Manage My Health, is now considering independent testing of third-party services like patient portals. But is this too little, too late? Here’s the question we need to ask: Should health data platforms face the same scrutiny as banks? And if not, why not? Let’s spark the debate—share your thoughts in the comments. Your voice could shape how we protect our most private information in the digital age.
