Public shaming is the main tool in Webster’s arsenal.
“The highest fine under the Privacy Act is a measly $10,000. But that’s not even for poor security practices resulting in a data breach – it’s only for failing to notify one,” Simply Privacy principal Frith Tweedie told Tech Insider soon after the initial breach.
This is in stark contrast to the penalties in other countries.
In Australia, maximum fines for serious breaches are the greater of A$50 million ($60.4m), three times the benefit obtained from what happened, or 30% of the organisations’ annual turnovers.
The higher penalties across the Tasman were inspired by two major data breaches in 2022, Tweedie says, involving telco Optus, and Medibank, Australia’s largest health insurer.
Tweedie notes that in European Union countries, fines for being careless with data run up to €20m ($40m) or 20% of global annual turnover, whichever is greater.
“Our current approach means there are no real incentives for Kiwi organisations to protect personal information and respect people’s privacy rights,” Tweedie says.
“This has been a problem for years and one that successive Privacy Commissioners have called out. Maybe this time the Government might listen?”
Our Government is keeping a watching brief on the changes across the Tasman, which came into effect in December 2022 – although it was not until October last year that the first serious penalty was levied. Australian Clinical Labs (ACL) was ordered to pay A$5.8m related to a February 2022 cyberattack.
New Zealand firms in the Aussie law’s gun
Both Webster and his predecessor John Edwards have called for tougher penalties for poor security leading to a data breach.
Opponents say it’s always been tricky to apportion blame for a data breach, and even more so now that AI is making attacks more fiendishly clever than ever.
But wherever you stand on Australia’s A$50m fines, a Simpson Grierson briefing on the A$5.8m ACL penalty warned, “New Zealand companies carrying on business in Australia – or handling Australian customer data – need to be aware that they may be subject to the Australian Privacy Act – and its penalties”.
Good Health NZ security standards, not enforced
Most of the information that was stolen from Manage My Health was information sourced from hospitals in Northland.
Health NZ should have taken more steps to make sure that it was safe to pass on the information to patients through the privately owned Manage My Health, the Privacy Commissioner said.
The Health NZ project team that engaged with Manage My Health did not include specialist privacy and security personnel.
“There was over-reliance on information from Manage My Health about the security and privacy of the health portal as opposed to doing independent checks.”
After the initial Manage My Health hack, cybersecurity expert Adam Voulstaker said Health NZ has a set of guidelines for the health sector called the Information Security Framework (HISF), which are comprehensive and up-to-date.
But they are guidelines only. Experts say they should be enforced, with audits.
Catching up with KFC
Digital standards consultant Callum McMenamin noted that two-factor or multifactor authentication (where an app or text confirmation is used as well as a password) was in Health NZ’s requirements but not deployed by Manage My Health.
“KFC has multifactor authentication enabled across all its accounts by default. I dream of a future where my health data is as secure as my fried chicken order,” McMenamin said.
The Privacy Commissioner this morning noted that Manage My Health did implement compulsory MFA, and other security measures after the breach, while Health NZ had also upgraded its safeguards, “compliance notices will formally require both of them to complete any necessary remaining work and demonstrate to my satisfaction that all changes are working effectively”.
Regular audits for all private healthcare providers could be in the works.
Audits could be on the way.
“As Health NZ progresses implementation of measures to increase the accessibility and security of health information, we are considering what further assurance of third-party providers against regulations and standards is required,” a Health NZ spokesperson said.
Manage My Health responds
The Privacy Commissioner’s key findings were that, “The cybersecurity breach was not the result of a single security failure, but was due to a combination of problems, including:
- Manage My Health had several key gaps in security that allowed the attack to happen.
- It failed to have systems in place that would detect that large amounts of information were being accessed, so that steps could be taken to interrupt the hacker before so much information was stolen.”
Manage My Health said this morning that it acknowledged the distress caused and apologised again for the breach.
It added that, “There is no evidence of compromise to core patient portal systems and their integration with GP practice management systems. We recognise that any breach of trust is significant and we take that responsibility seriously.
“Since the incident, MMH has undertaken a comprehensive programme of security and operational improvements. These include mandatory multi-factor authentication for all users, enhanced real-time monitoring and alerting capability, strengthened access controls, and expanded independent security testing across the platform.”
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
