Table of Contents
Summarised by Centrist
The hacking of the Manage My Health patient portal on January 1 raised a question: how did a private company come to hold sensitive health data for millions of people in the first place?
Manage My Health, launched in 2008, became widespread not through a national mandate but by piggybacking on the software most GP clinics already used.
The portal was developed alongside Medtech, the dominant practice management system in New Zealand. When clinics adopted Medtech, Manage My Health often came with it by default.
Booking appointments, viewing results, and accessing documents moved online, with little sense amongst patients that their data was now sitting with a separate private provider.
General practices typically lack the resources or technical expertise to assess cybersecurity systems independently, so they rely on portals integrated with their core software.
Over time, this created a de facto monopoly, with Manage My Health becoming the largest patient portal in the country.
Many patients only discovered this after the breach was disclosed.
The Privacy Act and the Health Information Privacy Code require organisations to take reasonable steps to prevent unauthorised access and to limit disclosure. The problem, critics say, is that “reasonable” is loosely defined and rarely tested until something goes wrong.
The Office of the Privacy Commissioner has said current law does not give it the power or resources to proactively audit organisations holding sensitive data.
A single private platform now holds information that was once dispersed across thousands of clinics.
Loading...
