#managemyhealth — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #managemyhealth, aggregated by home.social.
-
What's going on at the Privacy Commission? They told me to e-mail them to follow up on my Manage My Health complaint, but their mail server tells me that the address that they supplied "is no longer active" so my e-mail's been blocked by "a custom mail-flow rule created by an admin".
It was just an update to say that another fifty days have passed since I last reported that MMH still haven't addressed my query about what personal information they hold about me. I first asked them this on 23 January. The law requires them they have to respond in a lot less than the several months that have passed thus far. "Requires", apparently, does not mean "requires", when it comes to New Zealand law.
I can't help but wonder whether MMH CEO's been spending time in the PC's bed. That might be what the Commission website means by "working together".
-
OpenReception is an open source medical practice booking system. It's employing a lot of good and forward facing tech to enhance security as well as
privacy (passkeys, PQC, Shamir Secret Sharing, etc.).Sounds like it might be a good alternative to tech stressed medical practices in #Aotearoa NZ.
Unfortunately the link is in Geman. But the publisher often/mostly releases the same content in English a few hours later, then a clickable flag appears on the same page.
Interesting to you, @lightweight ?
-
@biddy_sue @felix @kyhwana @ThisCJ @oseiler
Privacy Commissioner's response to ManageMyHealth breach: A masterclass in looking busy while doing nothing
Timeline:29 Dec 2025: ManageMyHealth breach detected (108K-126K users affected)
21 Jan 2026: Privacy Commissioner announces inquiry
31 Mar 2026, 16:30: Privacy Commissioner sends email (effective 1 Apr - <24hrs notice)What the email says:
Enquiries email address closing 1 April
All complaint actions PAUSED until inquiry completes (no timeline given)
To complain, you must FIRST:
• Contact ManageMyHealth (who didn't respond to my 3 emails)
• Contact Te Whatu Ora
• Contact your GP
• Provide documentary evidence of all attempts
• Prove you gave them "reasonable chance to respond"
Must demonstrate individual harm (not "general concerns about the breach")The Catch-22:
Data not breached? = No individual harm = "general concerns" = not actionable
Data was breached? = Must exhaust remedies with organisations that failed to protect you first
Either way? = Complaint action paused indefinitely anywayWhat this reveals:
The Privacy Commissioner is conducting an inquiry (looks like action) while making individual complaints nearly impossible (avoids making findings against government agencies/contractors).
Independent security analysis showed ManageMyHealth had:DMARC set to monitoring only (anyone could spoof their domain)
Weak 1024-bit DKIM keys (not industry standard 2048-bit)
Zero DNSSEC protection across 19 subdomains
Misconfigured email transport securityThese are basic infrastructure failures, known best practices for over a decade.
But apparently that's a "general concern" not worth the Privacy Commissioner's time.
Sent at 16:30 on 31 March, effective 1 April. You were meant to miss it.#NZPol #Privacy #DataBreach #ManageMyHealth #PrivacyCommissioner #Accountability
-
Yikes!
https://www.stuff.co.nz/nz-news/360942689/major-nz-health-app-breach-alive-patients-marked-deceased-names-changed-charlie-kirk
> An apparent hack of medication platform MediMap has led to some alive patients being marked as deceased, and others labelled as ‘Charlie Kirk’.
> The digital medication management platform MediMap widely used across New Zealand remains offline after some records were found to have been “incorrectly modified”. -
@biddy_sue @felix @kyhwana @ThisCJ @oseiler @kyhwana
I received a reply from the Office of the Privacy Commissioner today — largely procedural. It feels like quiet discouragement from pursuing the matter. Shame I am not wired that way. 😂
I replied with compiled evidence of:
• Process compliance (complaints lodged with both organisations the same day as OPC)
• Good-faith patience (5+ weeks allowed)
• Documented non-response (no substantive technical answers)I have asked the OPC to confirm my complaint is formally registered and considered for investigation. 😎
It should not require this level of persistence to trigger accountability — but here we are. Perhaps I am stubborn? 🤔
-
Information security in New Zealand's health system is like a Jenga tower according to Adam Burns of BlackVeil who profiled all relevant domains for misconfiguration following the catastrophic #ManageMyHealth data breach.
-
There's been a trickle of news about #ManageMyHealth, perhaps most significantly that the Privacy Commissioner is to do an inquiry:
-
Manage My Health data breach: Fraudsters attempting to contact customers
-
I suppose it's good to warn hack victims of potential exploits involving their data, but this PR from ManageMyHealth seems entirely speculative. The asterisks are mine.
"... fraudsters *could* now be attempting to contact its customers..."
"... people *might* now be sending spam or phishing emails that impersonate the company..."
"... secondary actors *may* impersonate MMH..."
More worrying is MMH saying it's "notified *most* of the people affected by the data breach" when it's been over three weeks since the hack was announced.
-
@biddy_sue @felix @kyhwana @ThisCJ
Here are some thoughts on the recent #managemyhealth announcement in Stuff today https://www.stuff.co.nz/nz-news/360927765/privacy-commissioner-launches-inquiry-manage-my-health-data-breachTypically the Government's review focuses on response to the incident, not on why a privately-run patient portal handling sensitive health data had such poor security infrastructure in the first place.
That's classic bureaucratic risk avoidance: review the incident response (which they can control going forward) rather than the procurement/oversight decisions (which might expose systemic failures in how Health NZ contracts with private health IT providers).The Privacy Commissioner inquiry is the mechanism that might actually examine whether the SPF/DMARC/DKIM/DNSSEC gaps identified constituted adequate security safeguards. The inquiry will determine whether appropriate security safeguards were in place and, if not, why not, plus what steps will prevent recurrence.
Have to wait for the Terms of reference due 28 January. That we tell us how serious this inquiry actually is.
-
The Privacy Commissioner is opening an inquiry into the Manage My Health cyber breach.
-
MMH now prompted me for a password change. It didn't prompt me for the configured MFA TOTP code, but rather sent a code by email.
When using a passphrase tweaked to meet their 'strength' requirements it failed. After meeting all the criteria in the first so many characters the check passed (otherwise same passphrase).
Now I can't log in any more. Sounds like some client side security theatre with password truncation that will then fail on an actual log in on the front door.
-
MMH now prompted me for a password change. It didn't prompt me for the configured MFA TOTP code, but rather sent a code by email.
When using a passphrase tweaked to meet their 'strength' requirements it failed. After meeting all the criteria in the first so many characters the check passed (otherwise same passphrase).
Now I can't log in any more. Sounds like some client side security theatre with password truncation that will then fail on an actual log in on the front door.
-
MMH now prompted me for a password change. It didn't prompt me for the configured MFA TOTP code, but rather sent a code by email.
When using a passphrase tweaked to meet their 'strength' requirements it failed. After meeting all the criteria in the first so many characters the check passed (otherwise same passphrase).
Now I can't log in any more. Sounds like some client side security theatre with password truncation that will then fail on an actual log in on the front door.
-
MMH now prompted me for a password change. It didn't prompt me for the configured MFA TOTP code, but rather sent a code by email.
When using a passphrase tweaked to meet their 'strength' requirements it failed. After meeting all the criteria in the first so many characters the check passed (otherwise same passphrase).
Now I can't log in any more. Sounds like some client side security theatre with password truncation that will then fail on an actual log in on the front door.
-
MMH now prompted me for a password change. It didn't prompt me for the configured MFA TOTP code, but rather sent a code by email.
When using a passphrase tweaked to meet their 'strength' requirements it failed. After meeting all the criteria in the first so many characters the check passed (otherwise same passphrase).
Now I can't log in any more. Sounds like some client side security theatre with password truncation that will then fail on an actual log in on the front door.
-
CW: NZ - ManageMyHealth were warned 2 years ago
This excerpt is quoted verbatim from the Herald.
---
University of Auckland cyber security expert Dr Abhinav Chopra said he discovered the holes in Manage My Health’s system two years ago when he was trying to find out why it was still holding on to his health records after his GP moved to a new provider.
In an email to his GP, Manage My Health and eventually the Privacy Commission, he listed all the problems, including the lack of multi-factor authentication and the fact that multiple administrators had access to unencrypted files.
“This is the same pattern. They should have invested. They’ve had two years and these are the exact same areas that have caused them the issue.”
The company did not respond to him, he said.
-
-
Queenstown Medical Centre has cancelled its contract with Manage My Health.
They're frustrated by Manage My Health’s "unclear communication to our patients" since the hacking incident.
MMH haven't been forthcoming with GP practices either. QMC says "We don’t know any more than the patients, and what we’re reading in the media."
"That frustration’s led us to looking for a better solution in the long term."
May this ball keep rolling.
-
"If you've been following the news, you will have seen the enormous Manage My Health shitshow, which has seen the medical records of 127,000 new Zealanders offered up for ransom."
@norightturnnz, 2025
https://norightturn.blogspot.com/2026/01/under-protecting-privacy.html
Holy crap. I've only just got out of a couple of weeks offline and this is is what I come back to. Some folks may remember the thread I posted on the #ManageMyHealth privacy policy, after my GP recommended I sign up for it. Not good;
https://mastodon.nzoss.nz/@strypey/114862089185059650
(1/2)
-
Anyone could think that the current wave of attacks on healthcare infrastructure is in some way orchestrated, like someone is paying $$$ for the data..
-
Sorry to hear that.
The bigger issue is NZ's lack of regulation when our most sensitive health data is ingested by for-profit companies. MMH face no penalties or fines, not as much as a slap over the corporate profits with a wet bus ticket.
If there's no penalty for operating sloppy security, there's no incentive to improve.
-
My data was stolen when Manage My Health was hacked. I have had one email advising that and have heard nothing since. It's really troubling knowing that data may be in the hands of a party who may use it for malicious purposes. MMH has been appalling in its communications and letting us know what they are doing to protect our data and protect us from any such malicious use. The CEO should be forced to resign. Clearly he isn't up to the job. #managemyhealth #aotearoa #hacking
-
Looks like another Aotearoa/NZ health provider #CanopyHealth has been breached.
Additionally another case of poor corporate communication with affected parties. Especially as it has happened half a year ago, and only *now* people are informed.
-
News came through yesterday that my GP's practice used #ManageMyHealth until 2020 when they moved to MyIndici, so you can add me to the list even though I never registered for MMH (or MyIndici) for obvious reasons.
-
Jeez, Paul. That's about as bad as it gets.
Web standards consultant Callum McMenamin is critical of the lack of government monitoring of for-profit providers like MMH.
"The government has created a health information security framework, its standards for health information security, but the government is not checking if those standards are being properly implemented within private companies like Manage My Health, or any of the other patient portals that we use."
"It does seem that many health organisations have very poor IT security controls in place, so they're very easy targets. They're just sitting ducks."
This was an easy breach just waiting to happen.
https://www.stuff.co.nz/nz-news/360923597/kfc-app-more-secure-manage-my-health-expert-claims
-
I posted a few days ago that my ManageMyHealth account was one of those subjected to recent hack and one of my medical records had been stolen. That record was a referral from my GP to a specialist back in 2017. I have now been sent a copy of that referral from my GP at my request. (To the best of my ability, I couldn't find that referral on MMH myself.)
That referral is 10 pages of my entire medical history, blood test results, personal details, contact information, family history, and so forth. It is information that you only share with your doctor - and your life partner. I feel completely violated and in a state of shock to be honest at just how much highly personal information was stolen, all of which is now presumably in the hands of people wishing to exploit it.
-
So I logged onto ManageMyHealth this morning to discover my account is one of those impacted, and one of the documents associated with my account has been taken by cyber criminals. According to MMH, the category of document was "PMS Specialist Referral," followed by an URL link to a PDF document with my surname and some numbers. When I clicked on the link, there was a “HTTP failure response for [URL]portalapiv2.managemyhealth.co.nz/api/HealthDocuments/DownloadFile: 404 OK" error message - so the document was not found. The date this document was uploaded to my account was back in November 2017.
Clearly, I have never had a referral from a PMS Specialist - unless PMS also stands for something other than premenstrual syndrome. I checked what I was doing back in November 2017, and there were no visits to any doctors or medical specialists of any kind. Indeed, I was actually in Ōtepoti doing family history research at this time.
So I rang the dedicated number and was put through after a 15-minute wait and quoted the reference number of the incident. I felt for the person as who wants to deal with this sort of thing on a Sunday morning? The call centre was only doing triage, and the person couldn't answer any of the many questions I had, but said they would pass it on to the next level of support. They will call me back with a day or so.
Shambles doesn't come close to describing this. I can only assume ManageMyHealth has misidentified the person associated with the breach - which in itself is as frightening as any part of this debacle. Just imagine if I had been able to access the PMS Referral document and it was for someone else!
I will keep you all posted.
EDIT:Disabled hyperlink
-
CW: NZ - ManageMyHealth hack - Keith Ng
Keith Ng at the Herald has a good summary of what's known and where we're at.
"MMH has confirmed that only a single stolen user account was used in the attack. Posing as a normal user, the hackers were able to trick the application interface into providing the files for 127,000 other users. The control mechanisms meant to stop one user from accessing other users’ files had failed, or did not exist."
It sounds like they accessed one person's files, then trimmed the URL to move up a directory or two where they found paydirt.
So less of a hack, more of a problem with poor or non-existent security.
-
CW: NZ - ManageMyHealth data breach
It's Friday morning in NZ and the extended 5am deadline given by the hacker has now expired.
However the hacker took all of the sample materials offline two days ago. Did somebody perhaps pay the ransom? Will we ever know?
Three further snippets of info have been released.
"About 45 Northland-based GP practices are impacted and about 355 "referral-originating" GP practices across New Zealand regions."
"The breach was limited to data stored in the "My Health Documents" module only. User data stored in the GP-provided "Health Records" module was not compromised as part of this incident."
"It was announced yesterday that University of Otago Emeritus Prof Murray Tilyard has been appointed as an honorary clinical adviser to the Manage My Health board."
-
CW: Manage My Health Data Theft
Bugger - four letters from Te Whatu Ora to my medical centre are in the data that has been taken from Manage My Health. The letters include basic identify information. - eg name and address, NHI number, date of birth, and mobile number. The footer to the letter says "To receive an electronic copy of your hospital letters, talk to your GP practice about signing up to a consumer portal". Te Whatu Ora has been actively promoting the use of Manage My Health. Any inquiry should include looking into the extent to which Te Whatu Ora had responsibly assessed the risks before promoting (and continuing to promote) Manage My Health. #ManageMyHealth #TeWhatuOra
-
The #ManageMyHealth comms droids are channelling #TheFrontFellOff :
5. What does “accessed” mean and is that the same as “downloaded”
No. ‘Accessed’ means an unauthorised party may have viewed or opened files. ‘Downloaded’ means files were copied out of the environment. Independent forensics are being used to confirm what was accessed and what may have been downloaded.
I note that they do not mention working with NZ CERT or the security agencies.
-
Well, I finally got around to evaluating the #ManageMyHealth portal;
https://managemyhealth.co.nz/about-us/
When my GP suggested I sign up with it, I presumed it was a public service offered by Te Whatu Ora, like My Health Record;
https://www.tewhatuora.govt.nz/health-services-and-programmes/digital-health/my-health-record
So what do I think of Manage My Health? Not impressed. This is a privately-owned, for-profit digital platform, that I can't be certain isn't #DataFarming patients who sign up with it.
(1/?)