There's been a second major medical platform hack, leaving live patients labelled as dead and people's names changed to Charlie Kirk, the American activist who was shot dead last year – assassinated really. MediMap is widely used across New Zealand. It's often used by the aged care, disability, hospice and community health sectors. It's the second major cyber-attack on medical files and records in recent weeks after Manage My Health was hit at the end of last year, start of this year. Manage My Health's portal systems were compromised over the New Year holiday, putting the data of more than 120,000 users at risk. But it seems the two breaches are vastly different.  

Manage My Health was a ransomware attack conducted by a professional hacker, Kazu, not their real name, said they were motivated by notoriety and by profit. And there are thousands like Kazu. Think Roddy Ho in Slow Horses – annoying little geniuses who are completely removed from the rest of the world, who think along a different code, who live a different life. They do it because they can, because they think they're so clever and they want to prove it to their peers. They love showing off their hacking abilities. In some cases, they demand a ransom, in some cases they're motivated by profit, in other cases not. And generally, when the ransom is paid, they're terribly professional, you never hear another word from them. They take the money, they go and hit somebody else. In the case of MediMap, it seems there was a different motivation as Geoffrey Sayer from MediMap told Mike Hosking this morning. 

“What people would imagine a cyber hack is, is you've come in and brute forced and you've gone through a vulnerability in the software or the platform. This has not been the case. They've used credentials to come in, for all intents and purposes they look like a regular user, but what they started to do was not what a regular user does, which is why we shut the system down and contained it and are now working with forensic experts and government agencies to understand what's happened and then how do we bring this back online for people. We can trace it to a profile, I suppose is the best way to describe it, but we've subsequently become aware that that profile quite possibly had been compromised with their credentials.” 

So it could have been a staff member's kid or partner or just somebody who had access to that code. And we actually were having a discussion before we came on air, I said to the boss because I'd been broadcasting from home for the first two weeks, I said if one of the grandkids was tinkering around on the computer, would they be able to get into the radio station basically and move things around? And he said no, there's about three or four different passwords, but I don't have access to the inner workings. I need to be guided through it anyway and given different passwords at different points. So there could be no accidental hacking of this radio station by anybody at my house.  

These are not the first hacks, and they won't be the last. We have to accept that if we want the convenience of living in an online world, we're vulnerable, especially when we are complete tits when it comes to our security. Guess what the most common password is and has been for years? Yep, ‘123456’. Second most common, this is worldwide, not just New Zealand, second most common is ‘password’, third is ‘admin’, fourth is ‘qwerty’, and the fifth is ‘12345678’ – that'll fool them, adding the seven and the eight at the end, hey? I mean you don't even have to be a particularly good hacker to get into most people's computers.  

But what if you're scrupulous about your privacy? Sure, there should be tougher penalties for the hackers, but what about those who store our information, who demand it? How many places do we go where even the retail assistants, their KPI is to harvest our email addresses, to get them from us and the more they get, the more they're rewarded. Those who store our information should understand that it's a privilege. They use it. They can make money from it, they can profit from it.  

So should companies be held accountable if their security is breached? Should they have to pay some really serious fines so they get really serious about their security? In the case of MediMap, they handled that vastly differently. Different circumstances, but they handled it so much better than Manage My Health. They realised that somebody had access who legitimately got into the computer, to all intents and purposes the computer thought, yep, that's fine, come on in, you're welcome. Then once they started fiddling around, the computer recognised that something was going on that shouldn't be occurring and shut itself down. So different circumstances. But how much onus should be on the companies to protect our data and our information? There are millions of Roddy Hos out there, all wanting to show they're the cleverest thing in the whole wide world. How much should be on us to change our password and put in basic security protocols? And how can we stay or limit our presence online? Is there any way of having our cake and eating it too, to have the convenience of an online world without basically being laid bare and naked before the whole wide world.