By Ruth Hill of RNZ IT experts allege Manage My Health ignored warnings about vulnerabilities in its cyber security for years – but the regulatory vacuum meant the company was not required to take action. About 127,000 New Zealanders have had their information stolen in the ransomware attack after hackers were apparently able to obtain a password giving them access to part of its database containing more than 430,000 documents. University of Auckland cyber security expert Dr Abhinav Chopra said he discovered the holes in Manage My Health’s system two years ago when he was trying to find out why it was still holding on to his health records after his GP moved to a new provider. In an email to his GP, Manage My Health and eventually the Privacy Commission, he listed all the problems, including the lack of multi-factor authentication and the fact that multiple administrators had access to unencrypted files. “This is the same pattern. They should have invested. They’ve had two years and these are the exact same areas that have caused them the issue.” The company did not respond to him, he said. Manage My Health has said it is required to hold on to patients’ data – even if their GP switches provider – unless patients deregister themselves. However, Chopra believes Manage My Health could have another reason for holding on to patient records. Its own website proudly notes its database of “1.8 million Kiwis” and its ability to get its customers’ message to them “when they’re thinking about their health”. “If this company did not have any commercial gains to make out of this data, then they would not be paying the extra storage costs for this data,” Chopra said. Terms and conditions gave company an ‘out’ A Wellington IT worker caught up in the Manage My Health data breach – whom RNZ has agreed not to name – also questioned the lack of regulatory checks and balances. “Health services that have this information and these functions should be subject to the same scrutiny and compliance requirements and auditing as financial institutions. “If your banking app is down, it’s a huge deal and it gets lots of scrutiny.” However, Manage My Health’s users could not say they were not warned, she said. “The irony is that I actually read their terms and conditions, and they haven’t breached them because their entire terms of usage is they can’t guarantee their system is any good or that they’ll fix it, even if it’s foreseeable and they know about it. “It’s essentially, ‘We can’t guarantee our product doesn’t suck, but here, give it a go’.” Digital specialist Callum McMenamin (who also alerted Manage My Health to its security vulnerabilities six months ago) said the 300-page Health Information Security Framework contained many good things – but entirely relied on “hand-wavy” self-regulation. “It’s all just a high-trust system where the Government sets the standards but then closes its eyes and doesn’t check if the standards are actually being met.” Industry has opposed regulation - commentator According to political analyst Bryce Edwards from The Democracy Project, the lack of regulatory oversight was “not an accident”. The Digital Health Association – the industry body for health software vendors – had lobbied against what it called “overly burdensome privacy laws and regulation”, he said. “They have time and time again asked government to keep the rules on privacy quite weak and relaxed so the companies that deal with data are not subject to too much of what they call ‘red tape’ or essentially costs on them.” Successive governments had ignored warnings from three Privacy Commissioners over the last 15 years of the need for stronger penalties, like in Australia, where errant companies faced multimillion-dollar fines, Edwards said. The Digital Health Association pushed for the repeal of the Therapeutic Product Act, which would’ve regulated software as a medical device with surveillance and penalties for non-compliance, he continued. “If...