The chief executive of beleaguered patient portal Manage My Health says he is open to standing down if required after it "dropped the ball".
Vino Ramayah told RNZ hackers who have seized hundreds of thousands of files from more than 120,000 patients "got in through the front door".
He takes full responsibility, he said.
"That's something for after the dust settles, whether I'm the current or continue to be the CEO," he said.
"I'm not unprepared to step down if there's a better person who can do a better job than I did."
Ramayah described the major breach as a "password accessed intrusion".
Manage My Health CEO Vino Ramayah says patients should trust the company, despite the hack. Photo: SCREENSHOT / RNZ
"They came in through the front door using a valid user password."
The deadline for a $60,000 ransom was initially thought to expire early on Tuesday morning, but Ramayah confirmed that deadline has now shifted.
"From what we have understood from the tracking and the kind of announcements in the dark web which we are monitoring the deadline is 5am on Friday."
But he said deadlines had come and gone "many times" and out of principal he would not comment on what people put up on the dark web.
"And we really don't know who's telling the truth and who isn't telling the truth. But our intention is to do the right thing."
A question of ransom
The chief executive would not be drawn on whether Manage My Health has discussed internally whether it was prepared to pay the ransom.
"I am not inclined to make any statement in that regard because it's an ongoing investigation, I don't want to jeopardise any investigations and I will make no comment in that regard," he said.
When asked again, Ramayah said: "As I have said here, I'm not going to comment on that".
He also would not say if Manage My Health had been in any negotiations those who took the patient data.
"As I said, I do not wish to comment on this investigation or any activities with any nefarious people, so I'll leave it at that."
Ramayah said Manage My Health was itself the victim of crime.
He said patients should trust the company "even though we have dropped the ball".
Ramayah told RNZ he personally was aggrieved and distressed by the breach.
His own medical records were among those impacted, he said.
"And so is lots of my friends and families. I am deeply distressed that this is out there and this has happened."
"The doctor - patient relationship was sacrosanct," he said.
"I think the main point is there has been a crime, we have tried to do our best, as you know, we've had staff working around the clock since this incident with very little sleep and we are trying our best to contain the damage and the pain and anxiety patients feel - that is pretty hard for us as an organisation."
'A big hit on our reputation'
On Tuesday, a cyber security expert told RNZ he could not see Manage My Health recovering from the breach.
"Look, this is a big hit on our reputation and I do not disagree with that observation," Ramayah said.
"But whether we can recover, we've got an excellent team, we've got an excellent product and we have served Kiwis for a very long time well.
"We're very confident that we can restore the confidence and we are doing the right thing to ensure that we put providers and patients ahead of our own interests."
The breach was unfortunate and a blemish on the company, he said.
On its website, Manage My Health says it is trusted by 1.85 million people and that it is a secure health portal.
"It depends on what you mean by secure, I know nothing is 100 percent secure, we are secure to the best of our knowledge and we do all the professional tests which any industry assessment will make independently that we were a secure software," Ramayah said.
Ramayah said nothing in their doctor's own database had been breached and taken.
"What has been penetrated is a single module which contains health documents from a specialist referral, from discharge summaries... and also uploaded data by the patient.
"And there is a function called help documents, that function was what was penetrated and that function has anything you as a patient can upload, not what your doctor uploads," he said.
Ramayah told RNZ staff have been working around the clock to firstly secure its data and any vulnerable points in its system.
A High Court injunction issued on Monday has been expanded and will be served on major media outlets," he said.
The chief executive said Manage My Health was not the first organisation to be attacked "despite our vigilance, despite our best practices".
"But criminals are getting smarter, we just need to be ahead of them now, this is an unfortunate incident in our history.
"Since 2008 we have never had a breach of this nature," he said.
RNZ put it to Ramayah that the platform had not been ahead of cyber criminals in this case.
"Well, I guess every cyber hack is a new learning vulnerabilities. You know, there's no software in the world which is completely non vulnerable. There are there is cyber criminals, always trying to steal passwords, use passwords, find out methods and authentications which they can outwit," he said.
Injunction issued
Meanwhile, the High Court has issued an injunction, preventing people from accessing the medical documents of 127,000 patients, stolen in the cyberscam.
The decision by Justice Andru Isac says the documents stolen from Manage My Health include discharge summaries, referrals, personal health information uploaded by patients and other documents.
The data comes from 45 GP practices in Northland but also included approximately 355 referral from around the country.
Some of the data was historical and related to referral records between 2017 and 2019.
The judge granted the application against so-called unknown defendants on the basis the approximately 430,000 documents contained highly sensitive and confidential information.
Justice Isac said Manage My Health was also concerned that the information, including patient contact details, could be used by others to target people.
"First, there is no doubt that sensitive patient information has been unlawfully obtained by unknown parties in a cyber-attack. The individuals responsible for obtaining the data clearly have no entitlement to it.
"Second, there is also no doubt that the purpose of the data hack is to use the threat of further disclosure as a means to extort payment from the applicant. Those responsible have sought to make plain the seriousness of their threat by publishing a small sample of the stolen data."
He said if the ransom is not paid and the stolen data is published, there is a real risk to patients who have had their private and personal information compromised.
The hack of Manage My Health occurred on 30 December and the injunction was sought on 5 January.
In its latest online update, Manage My Health said it had started contacting GP practices which have affected patients.
Information on appointments and prescriptions were not accessed and the portal is now secure, it said.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
