More than 120,000 New Zealanders had their medical information caught up in the recent Manage My Health cyberattack.
Yet, weeks later, thousands are still waiting for clear answers about what happened, whether they were affected, how they should protect their identity and information, and what’s being done to protect the system moving forward.
Shine has provided communications support to a number of clients that have experienced similar cyberattacks, so we understand the intricacies and limitations of what you can say and when, to avoid compromising the cyber response and investigation.
However, there are still ways to safely communicate with your stakeholders that are transparent, genuine, and help to allay fears.
The Manage My Health breach has been high profile, and far reaching, so the perceived lack of communication has only deepened public mistrust.
Many patients first became aware that something was wrong when the breach was made public through the media over the festive season. Even once Manage My Health confirmed the cyberattack, essential details were released slowly, sporadically, and for many, indirectly.
Healthcare providers also felt the impact of poor communication. The Royal New Zealand College of General Practitioners described the response as “shambolic, frustrating and slow”, noting that some GP practices were told how many of their patients were affected – but not who those patients were – while other practices received specific names.
The flow-down effect of this inconsistency is that GPs have not been able to support or advise their communities, leaving patients unsure whether or not their information and/or identity has been compromised.
Further compounding public unease, key FAQs have been posted within the Manage My Health app itself – the same platform most people aren’t accessing out of fear it’s not safe.
This move means important guidance was sitting behind a technical and emotional obstacle, when the need for reassurance was at an all-time high.
While appreciating hindsight is 20/20, there were some simple communication tactics Manage My Health could have employed to gain a level of control of the situation and restore public trust.
Fundamentally, putting out frequent, clear, concise updates – even when information was scarce – would have gone a long way to reassure the public that the crisis was being handled, and given them confidence about how to protect themselves.
General practices also could have offered a powerful channel for reassurance, given their existing high-trust relationships with patients, and vast contact databases.
Security failures may have sparked this crisis, but communication failures have prolonged it. Strengthening cybersecurity is crucial, but so is rebuilding confidence; that begins with honest, accessible, and proactive communication in the moment, and beyond.
Making it less about “us” in case it looks like we’re taking a far more personal interest in it rather than professional!