Manage My Health (MMH), an online health portal with 1.8 million registered users, disclosed a data breach at the start of the year that may have affected around 6% to 7% of patients, or about 125,000 people.
In its January 1 statement, the company said it had been notified of unauthorised access to its New Zealand application on December 31.
“We believe the incident has been contained, and we have engaged independent international forensic consultants to further verify the solution we have put in place and determine the extent of the data which is affected,” it noted.
In a subsequent, seemingly conflicting statement on January 2, the company said it “became aware of the cybersecurity incident on 30 December 2025, following notification from a partner.”
This has raised several questions: When exactly did the company learn of the breach? Who has access to what internal systems? What level of visibility does MMH have on its attack surface?
Attack and response
Upon investigation, MMH said only one module, Health Documents, was compromised, rather than the entire application.
“Preliminary investigation reveals no evidence at this stage that the core patient database was accessed, nor any evidence of data modification or destruction within our system, nor any access to user credentials,” it said on January 2.
On January 3, the company said it already had a complete list of people whose documents may have been stolen. By January 5, it said it had begun contacting affected medical practitioners, with direct patient communication commencing that week.
“Each practice will receive access to a confidential list of their affected patients through our secure Provider Portal, along with guidance on supporting patients who contact them with questions,” MMH said in its statement.
The company said this was intended to allow general practices to prepare for patient enquiries ahead of direct notifications. It noted that GPs are often the first point of contact for concerned patients and said the aim was to ensure they have the necessary information.
By January 6, the company confirmed that “prescription(s) in the Health Record function have not been accessed and the portal has been independently confirmed as secure.”
MMH also said it enabled a function in the app that informs practices whether they were affected by the data breach.
A hacker known as “Kazu” claimed to have carried out the attack and demanded a ransom of US$60,000, threatening to leak the stolen files. The alleged hacker set a January 6 deadline for payment and released a sample of the stolen files. The deadline was later moved to January 9.
It is unclear whether any payment was made, although MMH reiterated the New Zealand government’s position against paying ransoms to cybercriminals.
MMH said paying a ransom does not guarantee data recovery, could breach sanctions, and risks funding further criminal activity.
In its January 8 statement, the company said the compromised data involved
- About 45 Northland-based GP practices.
- Clinical discharge summaries and historical clinical referral records in the Northland region, with data dating back between six and eight years.
- Approximately 355 “referral-originating” GP practices across a number of New Zealand regions.
- Personal health information uploaded by patients.
“Manage My Health does not automatically delete patient accounts or data when a practice stops using the platform. For example, many MMH users have signed up for accounts that are not linked to doctors and use the many features of the application that are not related to communications with their GP. In addition, many patients change doctors/practices while keeping their MMH account. Accounts remain active unless the patient chooses to close their account, whereupon the data is deleted,” it stated.
Meanwhile, an 0800 number has also been established for impacted individuals. MMH said this number was not publicised and “only shared with impacted individuals via direct notification, as the team manning this number is dedicated to supporting impacted individuals only.”
Privacy probe
As required by New Zealand law, MMH immediately informed the Office of the Privacy Commissioner about the incident and is working with it, alongside other regulatory and law enforcement agencies, to investigate the matter.
In a January 9 statement, the regulator said it “expect(s) Manage My Health and any other relevant health agencies to be able to demonstrate to the Privacy Commissioner, as the privacy regulator, that they had appropriate security safeguards in place, if not, why not, and what steps will be taken to prevent such an incident happening again.”
Further, MMH must also be able to demonstrate “that they have taken appropriate steps to mitigate and respond to any harm caused to affected individuals.”
“Failure to have taken reasonable steps to prevent a breach from occurring can result in compliance action, including directing the agencies concerned to take steps to improve their systems and processes,” the Privacy Commissioner said.
Given the scale of the incident, the sensitivity of the personal and health information affected, and systemic issues being identified, the regulator said it may decide that an investigation is warranted, depending on further information provided by MMH.
New Zealand Health Minister Simeon Brown also launched a review of the incident to prevent a repeat in the future.
“Patient data is incredibly personal and whether it is held by a public agency or a private company, it must be protected to the highest of standards,” he said.
Access issues
As reliance on digital health platforms increases, access expands across users, systems, and partners, often faster than controls are revisited, observed one security specialist.
“Over time, that creates pathways that are broader or less visible than intended. In many major breaches, the issue is not a single technical failure, but access that persisted longer, reached further, or was harder to see than it should have been,” Darren Guccione, CEO and co-founder of Keeper Security, said.
According to Guccione, zero trust and privileged access controls play a critical role in such environments. He added that fragmented access across disconnected systems makes it harder to maintain visibility and consistent controls, reducing the ability to contain incidents before they escalate.
Although investigations help explain what happened, they do not prevent future incidents on their own. What matters is whether organisations use incidents as an opportunity to reassess how access is managed in practice and whether protections evolve alongside the systems they are meant to support, Guccione said.
He added that individuals should recognise that no system is immune and consider monitoring services that alert them when personal information appears in known data breaches.
