The New Zealand government is undertaking a review into a large-scale data breach that affecting Manage My Health, an online patient health portal used across the country to access medical records and manage general practice (GP) appointments.
The cyber-attack was detected by Manage My Health on December 30, 2025 and later described as “incredibly concerning” by New Zealand Minister of Health Simeon Brown.
Attack Contained Amid Fears for Patients’ Data
In a series of statements published between January 1 and 3, the targeted company said it has been working with Health New Zealand, the New Zealand Police, other government agencies and independent international forensic consultants to respond to the incident.
In his address to the media on January 5, Brown confirmed that "the government is throwing a significant amount of resource, especially within Health New Zealand and General Practice New Zealand, at addressing this and supporting Manage My Health as they respond to this incident."
In its latest statement, Manage My Health confirmed that “the incident has been contained” and “the application is secure.”
However, despite the company’s claim, it is possible the threat actor behind the attack has gained access to Manage My Health users’ personal data.
According to the company’s first statement on January 1, between 6% and 7% of the approximately 1.8 million New Zealand patients registered with the firm could have been compromised – which represents between 100,000 and 1200,000 people.
An alleged attacker using the alias ‘Kazu’ said they were behind the incident in a post on a cybercrime forum on December 30. They claimed that more than 428,000 files had been taken and warned that the information would be put up for sale if Manage My Health failed to pay a $60,000 ransom by January 15.
In a separate message posted on Telegram on January 3, Kazu escalated the threat, saying that all of the stolen data would be published within 48 hours if the payment was not made.
New Zealand Health Ministry Review
As part of the review into the situation, Brown said the health ministry would look into not only what happened and what data protections were in place, but also what else may need to be done in regards to third-party access to health data across the health system.
The minister also stressed that the data involved contains highly personal and sensitive patient information. He said that no matter whether it is held by public agencies or private companies, it must be protected with the strongest possible security and privacy measures.
Manage My Health said it “welcomes the commissioning of a Ministry of Health review and will cooperate fully with this process. We hope the findings and recommendations of the review are not just helpful to us, but to the whole sector.”
The company also obtained an injunction from the High Court to prevent third parties from accessing any data posted as a result of the incident.
Minister Urges Patient Notifications
Brown also emphasized the importance and urgency that “patients are notified.”
Manage My Health said that it started notifying general practices on January 5.
“Each practice will receive access to a confidential list of their affected patients through our secure Provider Portal, along with guidance on supporting patients who contact them with questions” the company noted.
Direct patient notification is planned to start later in the same week once GP practices have all been notified, the company added.
“The exact timing requires coordination with Health New Zealand, GPNZ and GP practices to ensure patients receive clear, consistent information and do not receive multiple or confusing notifications from different organizations about the same incident.”
Manage My Health and Health New Zealand will also establish a dedicated 0800 helpline for affected patients. Further details, including the phone number and operating hours, will be provided in the company’s next update.
Minister Slams Error, Company Issues Apology
During his speech to the media, the minister said that “what happened is unacceptable” and that “the error was on Manage My Health.”
Brown also urged the company to “apologize to all affected patients and users of this service.”
Manage My Health did so in its latest statement, saying: “We sincerely apologize for the pain and anxiety this incident has caused to our providers and patients.”
The company also acknowledged it “could have done a better job at communication, however, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients.”
He noted that the country urgently needs to do a much better job of safeguarding medical data.
“We need to make sure we get to the bottom of this and we learn the lessons,” he added.