Amanda Gillies, for The Detail

Data is the new gold - but many health organisations, under pressure on the front line, are leaving the door to the safe open.

More gay and bisexual men will, from today, be able to donate blood, as the New Zealand Blood Service changes its screening process.

But it means every blood and plasma donor will be asked the same personal questions about recent sexual partners; if they have had anal sex and their STI exposure.

It's about identifying risk, as well as reducing barriers and boosting donor numbers, and the move has been welcomed across the country.

But it also raises fresh questions about who can access medical information and how safely it is stored.

The change comes just days after the Health Minister-ordered review into the Manage My Health breach was formally wrapped up, four months after hackers stole the medical notes of more than 120,000 patients. The review's findings are expected to be released to the public shortly.

The Detail's associate producer, Charlyse Tansey, was among those who had her personal medical information stolen, shattering her trust in health digital storage.

"When you put so much trust in an organisation to take care of the most sacred information that you have... you expect them to have security measures in place, and now that this has happened, and these random people somewhere in the world have my data, I'm just like, how can I trust my health provider?" says Tansey, who was told officially about the breach nearly two weeks after it made the news at the end of December.

Among the notes stolen was medical information about her extensive injuries in a fatal car accident a year before, as well as her name, date of birth, NHI number, her phone number and her address.

She tells The Detail she hasn't heard anything further from Manage My Health since they acknowledged the breach by email and told her to change her password, and to set up two-factor authentication.

"That annoys me because I feel like when you sign up to something like Manage My Health, you kind of go in with the sense that 'I know my privacy is going to be protected because some of my most vulnerable information is on there'.

"I have had all this personal information stolen about a traumatic event that I have been through, and I have heard nothing else."

Tansey is now reluctant to donate blood and answer personal questions in fear of another breach.

"It does make me question it. Medical notes are one thing, but sexual history notes are a whole other can of worms... that makes you not want to trust them, especially with all the data breaches in terms of health companies... so I would definitely question it."

But Joshua Bankers, Director of Digital Technology and Information at NZ Blood, tells The Detail, "A donor's answers to these questions are confidential and are stored securely - they are not shared across systems or organisations, and access is limited.

"As a New Zealand Crown Entity, we follow Government standards for privacy, data classification and sovereignty, cybersecurity, and data protection, and our settings are regularly reviewed and updated.

"We also belong to a national health cyber security forum alongside other government health organisations, where challenges and learnings are shared, including conversations about recent data and security breaches and how to continue to protect against them.

"Additionally, key security controls are active at our organisation that weren't implemented in other recently breached health organisations."

But a cybersecurity expert tells The Detail that "the cold hard reality is that no one is ever 100 percent fully protected".

So just how vulnerable are Kiwis when it comes to storing and protecting medical data?

"Short answer: very, very vulnerable, unfortunately," says Jan Thornborough, a cybersecurity specialist and founder of Outfox Limited, which helps keep businesses cyber-safe.

"And it's not necessarily the fault of the health sector; it is just the way cybercrime is increasing year by year. With the introduction of artificial intelligence, or the geopolitical problems we are seeing around the world, cybercrime is big business.

"In fact, if it was a country, it would actually be the third richest country in the world."

New Zealand's recent health cyberattacks include the Waikato DHB's hospital systems being crippled for weeks in 2021, with hackers accessing sensitive patient and staff data and some private medical information leaking online.

A major North Island GP network suffered a cyber attack affecting more than 80 clinics. Patient information was reportedly compromised, raising concerns about the security of primary healthcare systems.

Health NZ confirmed an IT security incident in its central region after a malicious actor gained unauthorised access to occupational health and safety information belonging to current and former staff. Some records included sensitive medical assessments and health-related correspondence.

Then, in December last year, in one of the country's biggest privacy breaches, hackers accessed sensitive medical documents belonging to more than 120,000 patients using the Manage My Health portal. Exposed documents, like Tansey's, included discharge summaries, specialist referrals, blood test information, and uploaded medical files.

And this year, medication management platform MediMap was taken offline after patient records were reportedly altered during a cyber incident. Some records were allegedly changed, including marking some patients as deceased or renaming them Charlie Kirk.

Jan Thornborough warns that healthcare systems are now prime targets because they often combine highly sensitive data with older technology and stretched budgets.

"Organisations, and the same thing for health practices, they are operating like a horse and cart on a high-speed motorway, and they slap on a jet engine, and they think it's going to make them go faster, but they're not taking any consideration about the risks that might occur if they do go faster without the right guard rails in place," she says.

Some New Zealand GP clinics are now also using AI-assisted software to help write consultation notes, summarise appointments and reduce administrative workloads on doctors already under pressure.

"If they have got professional licences, then in theory, it should be contained in their own health system, and it should be relatively safe", says Thornborough. "And I say relatively because there's still a lot of unknowns about artificial intelligence."

The challenge for the health sector now, she says, is balancing innovation with trust.

Because while New Zealanders may accept technology changing healthcare, they also expect the most personal details of their lives to remain exactly that - personal.

Home Page | General | Previous Story | Next Story

Copyright (c) Scoop Media