Experts warn against paying ransoms despite data risk
A deadline for hackers demanding US$60,000 after stealing hundreds of thousands of medical files from New Zealand’s largest patient portal has passed without further data being leaked.
The group calling itself “Kazu” posted on Sunday morning that unless Manage My Health paid the ransom within 48 hours, it would release more than 400,000 files. The deadline expired at 5:37am New Zealand time on Monday, but no additional data had been published.
The breach has affected more than 120,000 users of the platform, which provides patient portal services across New Zealand.
New Zealand health minister Simeon Brown said the government maintained its long-standing position that ransoms should not be paid. Manage My Health told media late Monday that any ransom demand was a matter for police and it would not comment while an investigation is ongoing.
“We acknowledge we could have done a better job at communication,” the platform said in a statement. “However, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients.”
Brown said he had raised communication concerns directly with the company’s chief executive last week. “I spoke to the CEO last week, made my expectations incredibly clear around the need for Manage My Health to be clear and transparent with its communications to the public and its users,” Brown told RNZ.
Brown described the data disappearing as “pretty unacceptable” and announced an urgent government review into the breach.
Former UK Government Communications Headquarters intelligence officer Antony Grasso, himself a Manage My Health user, advised against paying ransoms even when personal data was at risk. “You’re bargaining with effectively criminals or thieves, and there’s no honour amongst thieves, we know that, and they may release it anyway and it also means we’re a soft touch,” Grasso said.
Deputy privacy commissioner Liz MacPherson told RNZ that issues with the platform’s security may have been raised previously. “As I understand it, there have been rumours for some time,” MacPherson said. She expressed frustration at widespread complacency around cybersecurity and noted New Zealand lacks civil penalty provisions, unlike Australia where major breaches can attract fines exceeding AU$50m.
The platform said it had obtained a High Court injunction preventing third parties from accessing posted data and was monitoring known data leak websites.
