UPDATE 1500 06/01/26 : Ransom has been extended (So i suspect MMH will pay something)
As most Kiwis will know by now (and if not, hope you’ve had a good off the grid holiday), ManageMyHealth got ransomed.
Long story short, a dodgy overseas group found a “hole” in the MMH system, and exploited it, allowing them to access a decent amount of medial information of approx 120,000 New Zealanders.
Ransom was dropped to $60k (not sure if NZD or USD) but MMH have been muppets about it all and word is now the data has been released/up for auction of the dark web.
My GP uses MMH, and I’ve regularly used it to have my medications renewed, but thats about it. So I’m not overly concerned whats in there with my name on it, I’m pretty open about my medical history as its fairly typical for someone of my lifestyle/age. Diabetes Type II, blood pressure etc. So spam me medications all you like….
Thing that pisses myself (and many others) off about it all, is the blasie attitude of MMH to it all. Communications have been extremely poor (The ransomware group have been more communicative that what MMH have to EVERYONE ), they have NOT implemented any sort of password reset campaign in the off chance passwords were obtained (this is unlikely going by the “hackers” comms, but still a simple and good thing to do) and NOW they’ve sent everyone an email via their MHH portal, asking them to login and read a message they’ve posted there.
Get fucked.
You got done over.
You now ask everyone to log in to read a message ???
Are you trying to be morons ?
I for one am NOT touching the system until a 3rd party security audit has been completed. And I doubt this will happen.
I did work for Medtech Global, who was started by the owner of MMH, many years ago, doing IT support at their Viaduct office, on contract.
One day I got called in by the management team (inc Vino of MMH), and asked to find out why the network was running like dialup. Did a bit of investigation, and found it was a network virus doing the rounds. Reported that to Vino and cronies. “NO ITS NOT, YOU’RE WRONG, WE’RE BRINGING IN SOMEONE ELSE TO FIX THE PROBLEM, DON’T TOUCH ANYTHING” was the response.
Third party came in, had quick meeting with me where I told them what I’d found, they took a look, 10mins later “hey confirmed its a network virus”.
Between us we flushed it out, found the source, and sorted. (End user fault)
That day cost Medtech Global, my time, the 3rd party company fees and time, and an entire day of downtime in development.
All because management thought they knew better.
And thats what appears to have happened here as well. Ignoring the facts and rather spend money to keep it quiet. But hackers don’t give a shit about that….
MMH just need to put their hand up, “we fucked up”, do a full reset of all accounts, and be open about whats been taken. Theres not much else that can be done now, apart from paying the ransom and HOPE the offenders are honest enough to just delete the data.