Kyoda.
I'm Chelsea Daniels and this is the Front Page, a daily podcast presented by the New Zealand Herald. A major online security breach has raised questions about how safe our private information is online.
Manage my Health's health.
Portal systems were compromised over the new year, putting the data of over one hundred and twenty thousand users at risk. Later, we'll check in with internet security expert black Veils Adam Burns, who immediately identified flaws in the website, which isn't unusual for Kiwi domains.
But first on the front.
Page ends at Herald's senior reporter, David Fisher, has been following the breach and will break down what happened and who is behind it.
So David, let's start at the beginning.
What exactly happened in the Manage my Health breach and what even is it?
To Manage my Health is a patient health information database connection point where health services can upload and put information specific to an individual's account. Of patient's account, I, for example, have a Managed my Health account. I get a regular blood test done and the lab results they get posted in the Manage my Health account for me to see them at the same time as the doctor does, right.
And it's kind of one of those things where like if you need another prescription field or something, you just log in to Manage my Health and ask for another prescription.
Stuff like that.
The idea is that you automate everything.
Yeah, and some parts of the country don't have quite so much technology wrapped around their health services. North And for example, I suspect it's been particularly hard hit because that's the case there. The idea is to collect all the information that a patient needs to know and that their medical professionals need to know in one place, and
it's a widely used service too. Manage my Health on its landing page on its web page says it is trusted by one point eight million New Zealanders to look after their health records.
Right, So this latest breach, tell me a little bit about it, How did it come about and how many people are potentially affected.
First sign of the breach was picked up by Managed my Health on December thirty and they realized or recognized that they had had unauthorized access to their platform. That suspicion became concrete the day after December thirty one, when Managed my Health received and email from somebody who had
claimed they had a leak. They posted a sample of the documents that they claimed have been leaked to them on a site where these things are posted, and they said, we'll keep it quiet and the documents will never see the light of day if you give us sixty thousand dollars us What.
Kind of information are we talking about here?
So the sort of information is quite specific actually, and where you're going to manage my health.
There's a range of different.
Menus that you can click on, for example, the lab results one which I mentioned earlier for me, and prescriptions and so on. But there's also a part of the website which deals with clinical documents, and these documents that are scanned and then uploaded onto the site. So this is the part that was hit. Managed by Health says it's about six to seven percent of the users that
were affected by this. That works out to be between one hundred many one hundred and thirty thousand people in court filings to get the injunction to suppress the information Manage my Health site at one hundred and twenty seven thousand people. So the type of information that gets scanned that you could find on there is clinical discharge summaries,
referral notices to specialists. There could be historical referral records, information that patients have uploaded themselves that they want other medical specialists to see. It could also have diagnoses of your situation. It can have medical histories, there care plans, dates of birth addresses, other personal information. If it is the case as it is in the region of New Zealand that I live, and that your health services aren't
particularly joined up. In a technical sentence, you're more likely to have uploads like that happened, where your medical professional will produce a letter that might be said to you in the post, but they will also scan it and upload it and to manage my health.
That's the information that's been taken.
Yeah, and you mentioned that Northlanders are particularly badly hit.
Yeah, that's right.
The thought is that it's about eighty five thousand I think, with a number of people in Northland that were said to be affected by this, that is a hugely disproportionate number. And I've not seen in explanation as to why that might be, but I do suspect that it is that gap in technology Northland healthcare. It's stretched, it's very stretched, and it has been for a very long time, and it is hard for GPS to make a go of a surgery up here. It's hard for surgeries to get
GPS to work at them. A lot of the infrastructure is quite aged and quite dated. So to my mind, that would lend itself to a scenario where more information was produced in hard copy and then uploaded, sort of kind of like talking to your parents about how to do email stuff where they will write up a letter on a computer, print it out, scan it, and then attach it to an email and send it to you.
Oh no, my mom takes photos of things and sends them.
To me, exactly that kind of thing.
What do we know about this group or the people that are responsible for this hack or say that they're responsible for this hack?
So the person that.
Individual that has claimed responsibility is an individual called Kazoo ka Zu.
That's a handle rather than a name. They say that they are an individual rather than a.
Group in that that handle is relatively it's only been in existence for the last six months. And I contacted the person claiming to be that hacker, interviewed them via a telegram the social messaging app, and they had said that they had gone out on their own. Prior to that, they operated by a different handle, and by inference we're
more a part of a collective back then. We do know that they have been involved in other hacks or that they have been the recipient of hacked information in the past.
They've said to me that.
They have received payments for that and that it is a viable business model for them, that they look for health information as a particular thing that they do seek out, and having sought that out, they say that it's not unusual to their extract money as a result of having obtained that information.
Yeah, and when it comes to the money, do we have any idea if that sixty thousand US has been paid out or not.
We don't know.
We do know that Kazoo claimed to be in negotiations last week. I suspect that the time that was brought for negotiations was probably more managed by Health's favor for cybersecurity people to try and track down Kazoo, perhaps even our GCSB.
Who knows.
But it's very often left unknown whether or not these payments are made, and there have been places in the past, not necessarily New Zealand, who have denied making payments and then evidence has emerged later that they have done these places are in a terror bind. One of the things that was puzzling about the Kazoo hack was that the amount of money was seen as very small for the sort of information that was available. I'd talk to Kazoo about that, and what was relayed back to me was
that that's part of the model. Don't make it too painful, make it easy. And as that said to me, they're only in it to make money. They don't want to create obstacles with barriers that are going to get between them and the cash that they're after.
It is a real catch twenty two, isn't it? Like the whole thing? Do not negotiate with terrorists. So that's probably a pretty good reason as to why we don't say if we've paid or not, because then others around the world would be like, hang on, New Zealand's a place where they pay out pretty easily.
That's exactly right, and you become a target for further problems, and that's not the kind of attention that we want.
Nothing is one hundred percent secure. We are secure to the best of our knowledge, and we do all the professional test which any industry assessment will make independently that we were a secure software. I'm a victim of the hack. My personal record is out there right, and so's lots of my friends and families. I am deeply distressed that this is out there and this has happened on software there. Our company has worked pretty hard to serve deeple.
In terms of Manage my Health.
Manage my Health has described itself as a victim of crime while also admitting that it did drop the ball.
Where do you see.
The line between being a victim and being responsible.
Well, the victims here are managed by Health's clients patients. The one that the information belonged to Managed my Health has in my view, created a situation where they have been whacked. The Privacy Actor is pretty clear on this. If you look after people's information, you are responsible for creating an environment in which that information is going to be safe. So that is your job, and that was managed by Health's job. They should have created an environment
in which no hacker could get to that information. So look, I'm very sad and sorry for Manage my Health. But if Managed my Health was able to produce evidence that they had a Fort Knox like security around patient information, then that sympathy that I have might be a little bit more than fleeting by sympathies with the patients. It's with those people whose information has been obtained by others.
And I've spoken to people who have lost day believe incredibly incredibly personal information and really are having trouble getting through the day and sleeping at night as a result of it being out there.
So where do we go from here?
There's a government investigation under way, as ordered by a Ministry of Health Sibby and Brown, and there's also a Officer of the Privacy Commissioner investigation under the way as well that we'll be looking as to whether Manage my
Health met its responsibilities under the Privacy Act. In terms of the investigation order by Simmy and Brown, I would have thought that the Ministry of Health would have required Managed my Health to meet some pretty stringent security standards to be able to set up and run the business that they have set up and run. If those weren't part of the baseline expectation, and if there wasn't auditing around that, then I think that question does come back to the Ministry of.
Health as well.
You know, if we're going to allow a situation where private providers can step in and take hold of what has traditionally been a state job. Then they've got to be held to really, really high standards, and we're going to make sure that they're audited to ensure that they stay at those high standards. So this business will have quite a way to run in terms of accountability. In terms of tracking down Kazoo, I think probably the same chance as a snowball on any of the days that
we're having now. And for the patients and their private information. Who knows Kazoo has said that if the money gets paid, then that information will never be seen again. They do have a track record of that, but that record is
only six months long. The other thing about it, too, is that there's so much useful information in there to other people of Kazoo's ilk, other people who will dates of birth or travel information, passport information, address information, all those personal indicators that they're incredibly, incredibly valuable because they can be used to leverage other exploits that can earn other people like Kazoo more money. So for those people a very uncertain future in an ideal situation, not that
it is ideal. Perhaps manage my health paid the money. Perhaps Kazu did what Kazoo said they would do and deleted all the information and that's the end of it. But those people that have been affected will not know that, and they can never really be sure, and that's a deeply, deeply unsettling thing for them.
Thanks for joining us.
David, Thank you Chelsea.
After the breach, Adam Burns of security company black Veil voluntarily tested the website and app and found flaws in both. He joins US now to break down what happened and what companies can do better to protect themselves.
And you, So.
Adam, were there any warning signs or security gaps from your point of view when it comes to manage my health?
From the research that I did and posted in the blog, Yes, there were some big gaps that should have been plugged a long time ago. These are basic fundamental DNS domain issues. So yeah, there was a number of gaps that I would consider them to be required for any organization, but especially a health organization dealing with patient records and such.
And what kind of gaps? So you mentioned DNS.
Yeah, DNS stands for Domain Name system, So I'll just explain real quick what that is. When you visit a website on the Internet, you type a name like inzidherold dot cot inz DNS. Server takes that name and converts it into an IP address, so that's where the server actually is. And yeah, DNS essentially without DNS, the Internet does not work, so you can see how important it is. And DNS also controls where how traffic is directed to your website, how emails get to you, how users log in,
log out, all of those sorts of things. So the gaps that I found are talking about email mostly email security issues, and domain and website security issues, so pretty key things to plug when you've got users logging into a health portal.
Yeah.
And is that quite a common mistake or gap, I suppose for websites in New Zealand.
Yeah, so I've done I did a lot of research on this last year. I built a little app and stuck it on the dot nz tldtld sands for top level domain. I ran it for about six weeks, collected only maybe two and a half thousand domains worth of information, but over half of those domains had these exact problems, so it's not it's not an uncommon issue. That is super common, and it is not just a New Zealand problem either. I've extended my research beyond that too.
Well.
I've actually covered fifty one countries now with the agent that I built. So yeah, it's a global problem. Have you heard Instagram got hacked today or yesterday? N No, Okay, Instagram was hacked and seven I think it was seven million user accounts were leaked onto the Internet like not the dark web, they were just leaked onto a forum.
So I actually scanned them.
I did the exact same scan on Instagram that I did on Manage my Health. Yeah, similar stories Instagram with billions of users.
Similar story and same security gaps.
Yeah.
These these problems extend beyond small business into the five hundred you know, fortune five hundred realm.
Yeah. Yeah, and so how can companies kind of rectify or you know, do better in that respect?
The first thing I would be doing is asking your I provider, what what are my current security gaps and how can we best plug those. I have done my best to make that information as accessible as I can to people on my website, so people can go and scan their domains if they want to, and it will actually tell them exactly what I found would manage my health, the gaps, how to fix them, and the impact of not fixing them, like what is the what is the main reason I should fix this? Plot this whole The
scanner and the results will actually tell you that. And if you still still need more help, I'm here, or you can speak to the agent buck on our website that also provides human that humanizes cybersecurity and technical speak in terms of.
What happened with manage my health and the kind of glaringly obvious it seems gaps in many websites in New Zealand's security systems. Do you think that hackers worldwide who do do this for monetary gain is are looking at New Zealand at the minute being like, well there's your cash grab.
Yeah.
I mean this time of year, New Zealand becomes a target just because of the great key we shut down. So I don't think we are much of a target until this time of year, and I've actually got data to prove that. So yeah, we're definitely. The attacks on New Zealand and Australia ramp up from November to January, and now with this news breaking, I would say will be even more of a target.
Now, how do you make sure if you do have your own personal information on the internet with a website, are there any ways to make sure that your information is actually safe?
The best thing that you can do to protect yourself is make sure that you've got multi factor authentication on everything, So enter a password, then.
It we'll ask you for a code as well.
Without the code, obviously a hacker can't get into your account. They need the physical device that sends you those codes. So that is a good way to protect yourself. Other than that, you're at the mercy of the people's platform that you're using. So the best thing to do there is actually ask them, what are you doing to protect my information? What controls and regulations have you got in place that protect us? And what happens if there's a breach? How do you notify as how quickly can you clean
it up? All those sorts of things are things that people really be thinking about when using such critical platforms or any platform that you log into.
In terms of this breach, I'm wondering because obviously we hear about breaches every now and again, you know, whether it's a banking app or a government app or something like that. Those are the ones that we hear about. Are those just the tip of the iceberg?
Yes, that is definitely just the tip of the iceberg. A lot of it goes unreported. Some of them are so small they're not worth mentioning in the news. But a small hack too the news might still be a big hack to a small business, for example. So yeah, there's plenty of hacks that we are not told about. Yeah, it's the wild West. The Internet was built, you know, in the nineties on trust and if you look at the Internet now, it's no longer a trustworthy place.
So yeah, it's best to assume.
That your data is not safe and make sure that it is, especially with the intro action of AI. You know, if you think about the infrastructure that AI is currently running on was built thirty years ago, it's like trying to race a Ferrari around a go kart track.
That's how I would describe it. So yeah, I.
Almost feel like we need an Internet two point zero. But making that happen is virtually impossible or a very very slow process because you'd have to do it. Yeah, I don't even know how you would achieve that. It would be very difficult.
It's not impossible, but it would be very slow and very difficult.
Well, it seems like the horses bolted and in a lot of ways. Hey, I mean, I can imagine. You know, back in the nineties, what we would refer to as hackers were individuals going in and doing it one by one, whereas now they can make quite sophisticated systems that do like, you know, a thousand things at once or something.
That's probably an understatement.
Yeah, I mean, even just in the last twelve months, hacking has become a thousand times easier for people. If you think about how easy it is for someone to install chat GPT and fill out an essay, for example, you can do the same with hacking. There's apps exactly like chat GPT for launching spoofing and phishing campaigns. So what they actually can do is like a full reconnaissance mission on a business, so they can figure out who's
the CFO, who's the CEO, who's the CTO. Have they been mentioned in the news recently, what time of year is it? Have they mentioned the going up a seat, those sorts of things. They do a full recon and it's fully automated now, so it takes a lot of that manual effort away from the hackers. A lot of it used to be manual. Now it's all automated.
So where do we go to next.
Is it just safe to have none of your personal information on the Internet or is that completely unavoidable.
It's pretty much unavoidable, right. We kind of reliant on technology and the internet without you. Imagine if the Internet was off for a day, the world would stop. So it's not like you can't stop using it. You have to keep using it. You just have to be super vigilant with protecting your credentials, be very very aware of the platforms that you're actually using. Maybe even see if as more secure alternatives. And yeah, just be very very
suspicious of any links and emails. Like the best advice I can offer you for links and emails is hover over it. If the link you hover over doesn't look right, don't click on it.
Thanks for joining us, Adam no worries.
That set for this episode of the Front Page. You can read more about today's stories and extensive news coverage at nzadherld dot co dot nz. The Front Page is produced by Jane Ye.
And Richard Martin, who is also our editor. I'm Chelsea Daniels.
Subscribe to the front page on iHeartRadio or wherever you get.
Your podcasts, and tune in tomorrow for another look behind the headlines.