In light of the recent cyber incident affecting the ManageMyHealth patient portal, we want to take this opportunity to reassure you about the robust security foundations of Health365, the secure patient engagement platform you rely on every day.
Health365 has not suffered any data security breach.
At Health365, security is embedded at every layer: physical, network, infrastructure, and application architecture. The security framework is built around one core principle: assume breach, protect data.
🧱 Application Architecture: “Nothing to Steal” by Design
The fundamental point of difference between Health365 and other portals is that no clinical data is stored on Health365 servers.
Patient records are hosted locally on each clinic’s server or in clinic’s secure cloud instance.
When a patient logs in to access their records on Health365, the application calls up their information directly from the clinic’s records and displays it. Health365 is designed in such a way that it does not copy or hold clinical records in order to provide the portal service.
That means that even if the Health365 application were breached, there is no central repository of patient records that hackers can gain access to. This drastically reduces the impact of any attack.
Additional safeguards in our app layer:
- Strict identity verification: Only clinics can register patients. Patients cannot register themselves.
- Verified identity linkage: Each patient account is tied to a verified clinical record.
- No email change via self-service: To prevent account-takeover, patients cannot update their email address online—changes require verification by the clinic.
🔒 Physical & Infrastructure Security
- Health365 is hosted exclusively in Tier 3, ISO 27001-accredited data centres in New Zealand (Datacom, Auckland)—ensuring physical resilience, redundancy, and strict access controls.
- All infrastructure runs on Microsoft Azure, with hardened configurations following NZISM (New Zealand Information Security Manual) guidelines.
- Server & network environments are protected by best-in-class firewalls, intrusion prevention (IPS), and endpoint protection (CrowdStrike Falcon).
- All data is encrypted—both in transit (TLS 1.3+) and at rest (AES-256).
🛡 24/7 Proactive Threat Monitoring & Response
- The platform is safeguarded by Microsoft Azure Sentinel, a world-class cloud SIEM—fully managed by Kordia’s dedicated Security Operations Centre (SOC) in Wellington.
- Kordia’s Cyber Incident Response Team is retained on standby for immediate containment & recovery—should an event ever occur (though none have to date).
🚀 Future Enhancements: Strengthening the Last Mile
As announced in November, MyPractice is working with their hosting providers to introduce Multi Factor Authentication (MFA) in early 2026, to provide another layer of security to prevent credential-based attacks.
