New Zealand Launches Probe Into Manage My Health Data Breach
▼ Summary
– The New Zealand government is reviewing a major data breach at the Manage My Health patient portal, which was detected on December 30, 2025.
– The attacker claims to have stolen data and demanded a $60,000 ransom, threatening to publish it, while the company states the incident is now contained.
– An estimated 100,000 to 120,000 patients may have had their personal data compromised in the attack.
– Health Minister Simeon Brown called the breach unacceptable, urged patient notifications, and emphasized the need for stronger health data security.
– Manage My Health has apologized, is coordinating notifications with health agencies, and obtained a court injunction to prevent third-party data access.
The New Zealand government has initiated a formal review following a significant cybersecurity incident at Manage My Health, a widely used online portal for patient medical records and GP appointments. This breach, detected on December 30, 2025, has prompted a coordinated response involving multiple agencies and raised serious concerns about the security of sensitive health information. Health Minister Simeon Brown labeled the situation “incredibly concerning,” underscoring the gravity of the event for the national healthcare system.
Authorities have confirmed the attack has been contained and the application is now secure. However, there remains a substantial risk that the threat actor accessed personal data. Initial estimates from Manage My Health suggest between 6% and 7% of its approximately 1.8 million registered users, potentially over 100,000 individuals, may have been impacted. An individual using the alias ‘Kazu’ claimed responsibility on a cybercrime forum, alleging the theft of more than 428,000 files. They issued a ransom demand of $60,000, threatening to sell the data if unpaid by January 15, and later escalated threats on Telegram to publish all information within 48 hours.
The ministerial review will extend beyond the immediate circumstances of the breach. It will scrutinize the existing data protections and examine the broader implications of third-party access to health data across the entire health system. Minister Brown stressed that all patient information, whether held by public or private entities, must be shielded by the most robust security and privacy measures available. Manage My Health has stated it welcomes the review and will cooperate fully, hoping the findings benefit the entire sector. The company also secured a High Court injunction to prevent third parties from accessing any data leaked from the incident.
A critical focus of the response is ensuring affected patients are notified promptly. Manage My Health began alerting general practices on January 5, providing each with a confidential list of impacted patients. Direct communication with patients is scheduled to commence later that same week, coordinated with Health New Zealand and GP organizations to prevent confusing or multiple notifications. A dedicated 0800 helpline for affected individuals will also be established, with further details to be released in a forthcoming update.
Minister Brown was unequivocal in his assessment, stating the breach was “unacceptable” and that “the error was on Manage My Health.” He publicly called for the company to apologize to all affected patients and users. The company has since issued a sincere apology for the “pain and anxiety” caused, acknowledging that its communication could have been better while explaining that its initial priority was securing patient data and verifying information accuracy. Brown emphasized the urgent national need to improve medical data safeguards, asserting, “We need to make sure we get to the bottom of this and we learn the lessons.”
(Source: Info Security)
