The MediMap hack – three more lessons for Auckland businesses

By Shivani Narayan, ClearEdge

Two breaches. Less than three months apart. Thousands of New Zealanders are wondering who has their most sensitive information and what’s been done with it.

Earlier this year I wrote about the Manage My Health hack and what it meant for local businesses. Then in late February, MediMap – the medication platform used across aged care, hospices and disability services – was breached.

This time data was not just stolen. Records were altered. Some patients were listed as deceased. Care staff had to double nursing numbers just to complete medication rounds safely. Two incidents in quick succession is not bad luck. It’s a pattern! Here are three more lessons for anyone running a business in east Auckland.

1. Your vendor’s problem is your problem

In both breaches, the Government’s position was identical: the platform is solely responsible for its own security. That sounds reassuring until you realise your business depends on platforms that would say exactly the same thing if breached tomorrow. Your accounting software. Your payroll tool. Your customer database.

Every piece of software you rely on is a door into your business. Start with three questions to your key vendors: do you use two-factor authentication? Is data encrypted at rest? When was your last independent security audit? If they cannot answer all three, that tells you something.

2. When the system goes down, what’s your plan B?

When MediMap went offline, facilities reverted to paper. Rounds that took minutes stretched to hours. Errors became more likely. Most businesses are not running medication rounds, but the question is identical: what happens if your core system goes dark for 48 hours? If you cannot answer quickly, you have an assumption, not a plan.

3. The rules are changing

The Government’s new Cyber Security Strategy proposes mandatory obligations and director-level personal liability for serious breaches. Consultation closes on April 19.

This is not aimed at SMEs today. But the direction is clear. Businesses that get ahead of it will find it becomes a point of trust. Those that wait for legislation will pay more, in more ways than one because the question is no longer whether Kiwi businesses are targets. It is whether yours is ready.