A major data breach involving ManageMyHealth, one of New Zealand’s largest online patient portals, has entered a new phase as the company confirmed it has started notifying general practices affected by the incident. The breach has raised serious concern across the healthcare system, as it may have exposed sensitive patient documents linked to tens of thousands of users.
The privately run portal is widely used by general practices across the country to help patients access health information online. Earlier this week, ManageMyHealth confirmed it had detected unauthorized access to part of its system late last year. Since then, authorities, health agencies, and medical practices have been working to understand the scale of the incident and reduce harm to patients.
What Happened in the ManageMyHealth Breach
ManageMyHealth reported that the breach involved unauthorized access to its Health Documents section. This area may store uploaded files such as referrals, test results, and other medical documents. The company stressed that its core system, which handles appointments, prescriptions, and health records, was not accessed during the incident.
Global data breach rocks Qantas — 5 million customer profiles exposed after ransom refusal
According to the company’s investigation, between 6 and 7 percent of its roughly 1.8 million registered users were affected. This means the breach may have impacted between 108,000 and 126,000 people across New Zealand. These figures have made the incident one of the largest health-related data breaches reported in the country.
On January 5, ManageMyHealth said it contacted the first group of general practices whose patients were linked to the breach. At the same time, practices that were not affected were also informed so they could reassure patients and remain alert.
The company said an independent forensic investigation confirmed that some patients connected to specific practices were affected. Practices were given guidance and support material to help them answer patient questions and manage concerns in a calm and informed way.
Steps Taken by Authorities and Health Agencies
Legal and government action followed quickly after the breach became public. On Monday, ManageMyHealth obtained an interim injunction from the High Court. The court order aims to stop any third party from accessing, sharing, or publishing the stolen data.
The injunction also requires anyone who already has the data, or information taken from it, to immediately delete it. This includes removing any online posts, links, or copies that may exist elsewhere.
The government has also responded. Health Minister Simeon Brown ordered a formal review into how the cybersecurity breach was handled. The review focuses on the response process rather than speculation about future outcomes.
ManageMyHealth confirmed it is working closely with Health NZ and the Office of the Privacy Commissioner to meet Privacy Act requirements. The company said it is taking responsibility for notifying affected individuals on behalf of the general practices.
Practices will receive Privacy Act notifications through the ManageMyHealth system, along with instructions on how patients can access more information and support.
Impact on Patients and Ongoing Response
The breach has caused anxiety among patients and medical providers alike. ManageMyHealth issued an apology, acknowledging the distress caused by the incident. General practices were told that a secure list of affected patients is available through the Provider Portal.
Practices have been encouraged to review these lists carefully. If any patients are considered vulnerable, practices can raise concerns so that additional support can be arranged before notifications are sent.
New features have also gone live on the ManageMyHealth app. These allow practices to check whether they were affected and help those that previously used the service but have since moved away. A dedicated 0800 helpline is being set up to provide advice and support to patients who may have questions or concerns.
Illumina fined $9.8M for selling DNA sequencers with cybersecurity flaws to U.S. agencies
Patients will also soon be able to use app features to check whether any of their documents were impacted. This is intended to give users clear and simple information without needing technical knowledge.
The breach was reportedly linked to a group calling itself Kazu, which posted messages on Telegram demanding a ransom of US$60,000. While reports suggested deadlines were mentioned, authorities have focused on containment and investigation rather than public negotiation details.
ManageMyHealth said it continues to work around the clock with authorities to manage the situation and support both patients and general practices as the response unfolds.
