Photo: RNZ / Finn Blackwell
A patient is shocked to find that more than two years after her GP ended its contract with Manage My Health, it has continued to receive her new medical records.
The patient health information portal will today begin contacting thousands of patients whose private medical information has been caught up in a ransomware attack.
Rachel - who is enrolled at one of The Doctors Medical Centres in Auckland - was emailed by her clinic in November 2023 to say it was switching to a new in-house app and that Manage My Health was "no longer available".
"I assumed (foolishly) that meant my data had been migrated and deleted."
Have you been affected? Share you stories with us at: iwitness@rnz.co.nz
However, after hearing the news that former users may also have had data stolen, she checked her old log-in.
"Sure enough it worked," Rachel said.
"But it gets worse. When I log in, not only can I see pre-November 2023 data, but my medical records continued to be uploaded to MMH after my GP moved providers.
"There were still lab results, multiple lab results, that were being uploaded."
Rachel said she had received the same results via the new app, so it was not clear whether the GP was still receiving results from the lab via Manage My Health, or the systems were still integrated in some way.
Green Cross Health, which owns The Doctors practices, was unable to say yet how new medical files for this patient continued to be uploaded to Manage My Health after the practice stopped using the system - nor could it confirm what it was told what would happen to patient records.
Its general manager for medical, Wayne Woolrich, said the organisation was "working closely" with Manage My Health to understand the level to which its patients and practices had been affected, including this patient.
"We are deeply concerned about the recent Manage My Health cyber breach and understand this is a worrying time for New Zealanders," he said.
"We are also cooperating fully with primary healthcare organisations, Health New Zealand, the Privacy Commissioner, and New Zealand Police as they investigate the attack and lead the response alongside the relevant industry bodies.
"With that in mind, we are not able to comment further at this point in time but will share more information as soon as we can."
Manage My Health said it hoped to finish notifying all affected patients by "early next week".
"Notifications will be sent initially through email to the address that was used to register the account."
The email notifications would include an 0800 number that impacted individuals could call to get "support and assistance should they require".
"We continue to work around the clock and closely with authorities and agencies to respond to this incident and resolve the matter for patients and general practices.
"We sincerely apologise for the pain and disruption that this incident has caused to our providers and patients as a result of this criminal activity against our systems."
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
