A major cyber breach at ManageMyHealth, New Zealand’s largest patient portal serving 1.8 million users, exposed sensitive health data for up to 126,000 individuals in late December 2025. The ransomware group Kazu claimed responsibility, leaking 108 GB of files including medical records and test results, prompting urgent notifications and government scrutiny. Users must monitor accounts, freeze credit, and seek free support amid ongoing investigations.
What Happened in the Breach
ManageMyHealth detected unauthorised access to its New Zealand platform on December 30, 2025, quickly containing the incident with forensic experts. Kazu ransomware actors stole 428,337 files totalling 108 GB, posting samples and demanding 60,000 USD by January 15, 2026.
CEO Vino Ramayah confirmed 6–7 percent of users – 108,000 to 126,000 – may be affected, with notifications starting within 48 hours via email or portal alerts. The company notified Police, Privacy Commissioner, and Health NZ immediately, prioritising system integrity.
Scope and Nature of Exposed Data
Compromised files likely include names, dates of birth, addresses, medical histories, test results, prescriptions, appointments, and clinician notes. As a portal linking patients to GPs, it holds detailed records from 1.8 million Kiwis across practices nationwide.
Experts like Hayden Ayers called it catastrophic for NZ scale, dwarfing prior breaches like Waikato DHB’s 4,000 records. No financial data or passwords confirmed stolen yet, but health info enables identity fraud or blackmail.
Official Response from Authorities
Privacy Commissioner John Edwards launched inquiries under the Privacy Act, demanding full transparency and compliance. Health Minister Simeon Brown received briefings, calling it “concerning” and pressing Health NZ for assurances on patient privacy.
Health NZ works closely with ManageMyHealth, urging practices to alert patients; GPs expressed frustration over delayed info but activated breach protocols. Police investigate potential crimes, while international forensics verify containment.
Key Response Timeline
Timeline shows swift but data-heavy response.
Risks to Affected Users
Stolen health data fuels identity theft, medical fraud (fake claims), phishing, or extortion via sensitive diagnoses. Criminals may sell records on dark web for 10–50 NZD each, targeting insurance scams or targeted attacks.
No confirmed misuse yet, but users face higher scam risks; vulnerable groups like mental health patients risk stigma. Long-term, breached trust erodes portal use, slowing digital health adoption.
Immediate Steps for Users
Check email/portal for notifications; if affected, change passwords, enable 2FA, and monitor statements. ManageMyHealth offers free credit monitoring and identity protection via partners.
Contact GP for record access alternatives; report suspicious activity to Police (105) or Netsafe. Freeze credit files at Equifax/Veda to block fraud. Avoid clicking unsolicited health-related links.
Steps for Healthcare Providers
GPs must notify patients per Health Information Privacy Code, review access logs, and bolster cybersecurity. Practices activate incident response: audit breaches, inform at-risk patients, and transition to alternatives like MyPractice if needed.
Health NZ coordinates sector-wide alerts, urging two-factor authentication and software updates.
What Data Was Likely Compromised
Portal stores clinical notes, lab results (bloods, scans), meds, allergies, demographics; no imaging confirmed leaked. Ransomware dumps showed samples with full histories, underscoring sensitivity.
ManageMyHealth’s Commitments
Ramayah apologised for stress, pledging transparency, free support, and system hardening. FAQs detail containment, no ongoing access, and forensic scope; users urged not to delete accounts. Company covers monitoring costs, updates via website/email.
Legal Rights and Recourse
Under Privacy Act 2020, users can complain to Commissioner for investigations/fines up to 10,000 NZD; class actions possible if negligence proven. Health sector code mandates 72-hour breach reports; affected seek damages via Disputes Tribunal for distress.
Insurance may cover ID theft; document all for claims.
Broader Implications for NZ Health
Breach exposes digital health vulnerabilities, with 1.8m users underscoring reliance on portals amid HNZ push for My Health Record. GPs worry workflow disruptions; sector eyes multi-factor mandates, encryption upgrades.
Compares to global hits like Optus (9.8m) but NZ’s worst health breach, spurring Privacy Act reforms. Builds resilience: expect audits, sovereign clouds for health data.
Preventing Future Breaches
Adopt passkeys over passwords, regular audits, zero-trust models; sector-wide training essential. Users demand backups, offline records; government eyes mandatory cyber standards for health tech.
Nirti Singh is a news writer and digital content contributor at KorakoSpecklePark, covering key stories and regional developments across New Zealand and Australia. Her work focuses on clear, fact-based reporting, ensuring readers receive accurate and timely information.