ManageMyHealth data breach

ManageMyHealth data breach
Malware details
Type	Data breach; unauthorised access; extortion attempt
Cyberattack event
Date	30 December 2025 (2025-12-30)
Location	New Zealand
Target	ManageMyHealth online patient portal
Outcome	Investigation ongoing; interim High Court injunction in force; government review commissioned
Losses	More than 400,000 medical documents exfiltrated, affecting over 120,000 patients
Suspects	Unknown defendants [1]  ; responsibility claimed online by an actor using the name "Kazu"

The ManageMyHealth data breach was a cybersecurity incident involving unauthorised access to the ManageMyHealth online patient portal in New Zealand. ^[2] The breach was disclosed in late December 2025 and involved the exfiltration of hundreds of thousands of sensitive medical documents relating to more than 120,000 patients. ^[3] The incident prompted urgent legal action in the High Court, government and regulatory reviews, warnings from cybersecurity and privacy organisations, and widespread concern among patients, healthcare providers, and privacy advocates. ^[4]

Background

ManageMyHealth is a privately operated online patient portal used by general practices across New Zealand. The platform allows patients to access personal health information, including referrals, discharge summaries, laboratory results, imaging reports, clinical correspondence, and documents uploaded by clinicians or patients. It also enables appointment booking, prescription requests, and messaging between patients and healthcare providers. ^[5]

The service operates independently of Health New Zealand (Te Whatu Ora), which manages public health infrastructure and national clinical systems. As of 2025, ManageMyHealth reported approximately 1.8 million registered users, making it the largest patient-facing health information portal in New Zealand. ^[6]

Discovery and initial response

According to ManageMyHealth, the company became aware of unauthorised access to its systems on 30 December 2025 after being notified by a partner organisation. The company stated that it immediately took steps to secure the platform, prevent further unauthorised access, preserve system logs and evidence, and engage independent cybersecurity and forensic specialists. ^[5]

Relevant authorities were notified on the same day, including New Zealand Police, the Privacy Commissioner, and Health New Zealand. ^[5] A public holding statement acknowledging a cybersecurity incident was published on the ManageMyHealth website on 1 January 2026. ^[2]

Public disclosure

On 31 December 2025, national media began reporting that ManageMyHealth was investigating a cybersecurity breach involving patient information. ^[2] On 1 January 2026, the company confirmed that preliminary analysis suggested approximately 6–7 per cent of its registered users may have been affected, equating to around 120,000 to 127,000 individuals. ^[3] According to The New Zealand Herald , the data breach affected 45 general practices in the Northland Region and 355 "referral-originating" medical practices across several regions. ^[7]

The company stated that investigations were ongoing and that further information would be released as verified facts became available. ^[5]

Nature and scope of the breach

According to statements by ManageMyHealth and evidence later presented to the High Court of New Zealand, the unauthorised access was limited to a specific document storage module within the platform rather than the core patient database or national clinical systems. ^[1]

The compromised data included medical documents such as specialist referrals, hospital discharge summaries, laboratory test results, medical imaging reports, clinical correspondence, and documents uploaded by patients. ^[8]

Media reporting stated that more than 400,000 documents were exfiltrated, with some records dating back several years, including material from 2017 to 2019. ^[2]

Some of the affected information related to patients whose general practices no longer used ManageMyHealth. In some cases, patient records continued to be uploaded to the portal despite practices having ended their contractual relationships with the service. ^[9]

ManageMyHealth said there was no evidence that usernames or passwords were compromised, core clinical systems were accessed, or data was altered or destroyed. ^[5] The company stated that the vulnerability used to gain access had been identified, remediated, and independently verified by external cybersecurity specialists. ^[4]

Ransom demand and attribution

Following the breach, a group identifying itself as "Kazu" claimed responsibility for the attack and said it had stolen more than 400,000 health documents. The group demanded a ransom of US$60,000, threatening to publicly release the data if payment was not made. ^[10]

Samples of the stolen data were published online to substantiate the claim. Media reports indicated that the ransom deadline shifted multiple times in early January 2026. ^[11] No further large-scale public release of data was reported after the initial deadlines passed. ^[11]

ManageMyHealth declined to comment publicly on the ransom demand, stating that the matter was being handled by police and that investigations were ongoing. ^[12]

Legal proceedings

On 5 January 2026, ManageMyHealth applied to the High Court for urgent injunctive relief to prevent access to, use of, or dissemination of the stolen data. ^[4]

The High Court granted interim injunctions restraining unknown defendants and any third parties from publishing, distributing, or otherwise dealing with the stolen information, and ordered that any parties in possession of the data must delete it. ^[1]

The presiding judge stated that the documents contained highly sensitive and confidential medical information and that further disclosure posed a serious risk to affected individuals. ^[8] Following the injunction, online posts associated with the attackers referencing the data were removed. ^[13]

Impact on patients

General practices across New Zealand reported receiving large volumes of enquiries from patients seeking confirmation about whether their information had been compromised. Many practices said they lacked clear information about which patients were affected during the early stages of the response. ^[12]

Cybersecurity experts and consumer protection organisations warned that affected individuals could face risks including identity theft, extortion or blackmail, and targeted phishing and impersonation scams. ^[10]

Netsafe, New Zealand's online safety organisation, advised ManageMyHealth users to be especially cautious of emails or messages containing personal information. ^[14]

Advocacy organisations for survivors of sexual violence and family harm said the breach could be particularly distressing or re-traumatising for individuals whose medical records contained highly sensitive personal information. ^[15]

Notifications and remediation

In early January 2026, ManageMyHealth began notifying affected general practices and stated it would notify impacted patients directly via email in accordance with the Privacy Act 2020. ^[16]

An 0800 helpline was established to provide information and support to affected individuals. The company said it aimed to complete patient notifications by mid-January 2026. ^[16]

Criticism

The handling of the data breach by ManageMyHealth attracted extensive nationwide media coverage and drew widespread criticism, including from healthcare providers, potentially-affected patients, privacy advocates, and sector specialists.

A central criticism concerned delays and inconsistencies in notifying affected patients and general practices. Media reports indicated that many patients first learned of the breach through news coverage, rather than direct communication from ManageMyHealth. General practices reported receiving large volumes of patient enquiries while lacking clear information about which individuals were affected during the early stages of the response. Primary health organisations stated that this created uncertainty for clinicians and patients, and complicated efforts to provide timely reassurance or advice. ^[12]

Patients experienced technical difficulties attempting to access information through the ManageMyHealth platform. Patients reported being unable to log in, being logged out repeatedly, or being unable to view messages sent by their practices. ManageMyHealth attributed the issues to high traffic volumes. General practices similarly reported receiving increased patient enquiries while experiencing access and performance problems themselves. ^[17]

The chief executive of WellSouth Primary Health Network publicly stated that he had "less than zero percent confidence" in ManageMyHealth's handling of the breach, citing concerns about the flow and reliability of information provided to practices. Media reporting also highlighted frustration among healthcare providers that patient names and details of the breach appeared to be released incrementally, rather than through a comprehensive disclosure. ^[9]

Chief executive officer Vino Ramayah was the subject of further criticism following public comments about the incident. In interviews with Radio New Zealand, Ramayah acknowledged that the company had "dropped the ball" and asked the public to continue trusting ManageMyHealth despite the breach. He stated that the attackers had accessed the system "through the front door" using valid credentials, a characterisation that was questioned by commentators and sector representatives, who argued that it appeared to downplay the seriousness of the security failure and the company's responsibility to safeguard sensitive medical information. ^[8]

Ramayah declined to comment on whether ManageMyHealth had engaged with the attackers or considered paying a ransom, citing ongoing police involvement and legal proceedings. This refusal drew criticism from some media outlets and privacy advocates, who argued that greater transparency was warranted given the scale and sensitivity of the compromised data. ^[10] Ramayah subsequently stated that he was "not unprepared to step down" if a more suitable leader could take over. ^[8]

Government and regulatory response

Health New Zealand stated there was no evidence that its systems or national patient databases were affected by the breach. ^[6]

On 5 January 2026, Minister of Health Simeon Brown commissioned the Ministry of Health to conduct an urgent review of the breach and the response by both ManageMyHealth and Health New Zealand. ^[18]

The Public Service Association said the breach highlighted broader risks associated with reduced investment in digital and IT expertise in the health sector. ^[19]

The incident occurred amid increased scrutiny of cybersecurity and data protection in New Zealand following previous high-profile breaches involving financial and healthcare data. Commentators compared the breach to earlier ransomware attacks in the health sector, including the 2021 Waikato District Health Board ransomware attack. ^[19]

See also

• Vastaamo data breach
• Privacy Act 2020
• Cybersecurity

References

1. Manage My Health Ltd v Unknown Defendants( High Court of New Zealand 6 January 2026), Text , archived from the originalon 9 January 2026.
2. "ManageMyHealth confirms cyber breach". Radio New Zealand . 1 January 2026. Archived from the original on 5 January 2026. Retrieved 8 January 2026.
3. "ManageMyHealth reveals scope of data breach". Radio New Zealand . 1 January 2026. Archived from the original on 5 January 2026. Retrieved 8 January 2026.
4. "Government orders review into ManageMyHealth data breach". Radio New Zealand . 5 January 2026. Archived from the original on 6 January 2026. Retrieved 8 January 2026.
5. "FAQs related to Cyber Breach". Manage My Health. 2 January 2026. Archived from the original on 7 January 2026. Retrieved 8 January 2026.
6. "Health NZ says systems unaffected by ManageMyHealth app breach". Radio New Zealand. 2 January 2026. Archived from the original on 4 January 2026. Retrieved 8 January 2026.
7. Stevens, Ric (7 January 2026). "High Court acts swiftly to try to contain Northland-focused Manage My Health, Neighbourly cyber attacks". The New Zealand Herald . Archived from the original on 9 January 2026. Retrieved 9 January 2026.
8. "Manage My Health CEO: Trust us 'even though we have dropped the ball'". Radio New Zealand . 7 January 2026. Archived from the original on 7 January 2026. Retrieved 8 January 2026.
9. "Patient data still being uploaded to Manage My Health after contract ended". Radio New Zealand . 8 January 2026. Archived from the original on 8 January 2026. Retrieved 8 January 2026.
10. "ManageMyHealth breach: Patients at risk of identity theft, extortion – experts". Radio New Zealand . 5 January 2026. Archived from the original on 5 January 2026. Retrieved 8 January 2026.
11. "Deadline for Manage My Health ransom moves again, reports say". Radio New Zealand . 6 January 2026. Archived from the original on 6 January 2026. Retrieved 8 January 2026.
12. "'A lot of queries' from patients as anxiety about stolen data grows". Radio New Zealand . 6 January 2026. Archived from the original on 7 January 2026. Retrieved 8 January 2026.
13. "Manage My Health hackers remove information about data online". Radio New Zealand . 7 January 2026. Archived from the original on 9 January 2026. Retrieved 8 January 2026.
14. "NetSafe warns Manage My Health users to be suspicious of emails including personal details". Radio New Zealand . 6 January 2026. Archived from the original on 7 January 2026. Retrieved 8 January 2026.
15. "Manage My Health hack could re-traumatise sexual violence, family harm victims". Radio New Zealand. 6 January 2026. Retrieved 8 January 2026.
16. "Manage My Health: Patients start to be notified after massive leak". Radio New Zealand. 7 January 2026. Retrieved 8 January 2026.
17. Ruth Hill (8 January 2026). "Patients ask GPs for info on health records after Manage My Health security breach". Radio New Zealand. Retrieved 9 January 2026.
18. "Review commissioned of ManageMyHealth cyber security breach" (Press release). New Zealand Government. 5 January 2026. Retrieved 8 January 2026.
19. "PSA says privacy breach exposes risk of cutting IT experts in public health". Radio New Zealand. 3 January 2026. Retrieved 8 January 2026.