Are we Charlie Kirk? NZ medical service hacked to change patient names and living status

“When I searched for one of the missing patients using their NHI number, I located the profile and observed that the patient had been incorrectly marked as deceased,” said one nurse speaking with NZ publication Stuff.

Once the nurse discovered the issues, they contacted support. However, soon more issues were discovered.

“More patients were marked as deceased, names appeared to have been changed to Charlie Kirk, ages were altered, and some patients were assigned to different facilities,” they added.

Out of the 60 patients at the facility, 20 had their records altered.

“We just kept losing more patients from the screen. And so I started panicking because it was nearly tea time and medications were not going to be given,” they said.

“That is when I felt the magnitude of this – I realised the meds were not going out at that time, and all that information and their charts had been changed, and I didn’t know how long it would be until they were restored.”

This information puts the lives and health of patients at serious risk, as some of these medications manage diabetes, blood pressure, heart pressure, and cognitive issues, some of which are prone to falling.

While MediMap itself has not issued a statement to Cyber Daily’s knowledge, Health New Zealand Digital Services acting chief information technology officer Darren Douglass said it was in contact with MediMap and supported its response.

“Health NZ supports MediMap’s decision to seek a court injunction to help protect the information of any impacted individuals as a result of unauthorised access to its platform. As a private company, MediMap is solely responsible for ensuring the security of that platform,” he said.

“We have sought assurances from MediMap over the steps it is taking to manage this incident and minimise potential impacts.

“We are supporting MediMap’s response and have activated our Cyber Incident Management Team. We continue to work closely with other relevant agencies to coordinate a system-wide response, including Police and the National Cyber Security Centre.”

Douglass assured that patients and resident care remained at the same level despite the incident.

While MediMap was down at the time of the statement, the company began a phased restoration on 3 March. The Disability Support Services (DSS) NZ also issued a statement, saying that it was also working with Health NZ.

“Disability Support Services (DSS) is aware that some of our providers have been affected by the MediMap outage. MediMap is a privately owned and operated medication management platform,” it said.

“DSS has been contacting our providers to understand how the outage is impacting them, and what processes they are putting in place.

“For providers, the ongoing care and safety of people they are supporting remains their top priority. Providers have been implementing alternative systems, such as paper-based records and management processes.

Strangely, an individual claiming responsibility for the cyber incident has said the hack is over and claims to have deleted the data it stole from the company.

Following up on an email to several publications where they supplied an alleged sample of the data, the individual said they had decided not to pursue further action against MediMap and its patients, and instead “permanently deleted all data on my end”.

The identity of the individual is unclear, with media publications unable to independently confirm who emailed them. Additionally, there is no sign that the stolen data has been released beyond the emails to the media.

In those emails, the alleged hacker used the name of political figures, including NZ Deputy Prime Minister and ACT leader David Seymour.

They also said the breach was “not politically nor financially motivated”, but did not explain their reasoning for the breach.

At the end of one email, the hacker wrote “Goodbye for now, we are Charlie Kirk.”