The ManageMyHealth Breach: What Actually Happened, What Data Was Exposed, and Why It Matters

What is ManageMyHealth?

ManageMyHealth is an online patient portal used by general practices across New Zealand. It allows patients to:

• View health information shared by their GP
• Upload and store personal health documents
• Communicate with healthcare providers

The service reportedly has around 1.8 million registered users, making it one of the most widely adopted digital health platforms in the country.

Timeline of the Breach (Confirmed)

30 December 2025:

A threat actor publicly claimed to have breached ManageMyHealth, alleging they had obtained a large volume of patient documents and demanding a ransom.

31 December 2025:

ManageMyHealth confirmed a cyber incident and stated it was working with cybersecurity specialists and authorities.

1 January 2026:

The company notified regulators and stated that approximately 6 to 7 percent of users may be affected, roughly 120,000 to 126,000 people.

Early January 2026:

• New Zealand’s National Cyber Security Centre (NCSC) acknowledged the incident and confirmed coordination with health authorities.
• The Office of the Privacy Commissioner (OPC) confirmed it was assessing the breach.
• ManageMyHealth obtained High Court injunctions to limit further dissemination of stolen data.

What Data Was Actually Accessed?

According to ManageMyHealth and the Privacy Commissioner, the breach was limited to a specific part of the platform known as My Health Documents.

Data that was involved

These documents were uploaded or stored by users, and may include:

• Hospital discharge summaries
• Referral letters from GPs to specialists
• Clinical correspondence
• Other personal health documents uploaded by patients

Many of the referral documents referenced date from 2017 to 2019, though exposure is not limited strictly to those years.

Data that was not involved

ManageMyHealth has stated that the following were not accessed:

• GP clinical systems
• Live medical records
• Prescriptions
• Secure patient to doctor messaging
• Appointment systems

This distinction is important. The breach did not expose entire GP databases, but it did expose highly sensitive personal medical documents.

How Many People Were Affected?

• ManageMyHealth estimates 6 to 7 percent of users were impacted.
• Reporting indicates Northland was disproportionately affected, with tens of thousands of impacted records linked to the region.
• Dozens of GP practices had documents associated with the exposed dataset.

The exact final number may still change as forensic analysis continues.

Claims vs Verified Facts

Claimed by the attacker (not independently verified)

• 108GB of data
• 428,000 plus files
• A ransom demand of US$60,000

These figures are widely reported but remain claims, not confirmed measurements by authorities.

Verified by authorities

• Unauthorized access occurred
• Sensitive medical documents were involved
• A significant number of New Zealanders were affected
• Regulatory and government agencies are engaged

Why This Breach Is Especially Serious

Healthcare data breaches are different from ordinary data leaks.

Medical documents often contain:

• Full names and dates of birth
• Addresses and National Health Identifiers
• Diagnoses, treatments, and referrals
• Information that can be exploited for targeted scams or extortion

Even if financial data is not exposed, medical context makes phishing far more convincing and psychologically harmful.

Government and Regulatory Response

Office of the Privacy Commissioner:

Confirmed notification, issued public guidance, and indicated a likely investigation due to scale and sensitivity.

National Cyber Security Centre:

Working with Health NZ and other agencies to assess risk and response.

Ministerial oversight:

A review has been ordered to understand how the breach occurred and how similar incidents can be prevented.

What ManageMyHealth Says It Has Done

• Isolated the affected system
• Engaged independent cybersecurity forensic experts
• Conducted additional security testing
• Began notifying affected users directly
• Recommended multi factor authentication
• Offered identity and cyber support services

Whether these measures were sufficient before the breach is a question regulators are expected to examine.

What Still Isn’t Known

As of now, there is no public confirmation of:

• Whether all accessed files were exfiltrated
• Whether copies of the data continue to circulate
• The precise technical vulnerability that was exploited
• Whether enforcement action or penalties will follow

These are normal uncertainties at this stage of a large investigation.

The Bigger Picture

This incident highlights a broader issue.

Digital health platforms are now critical infrastructure, but they are not always treated as such.

As healthcare continues to move online, breaches like this raise urgent questions about:

• Security standards for health vendors
• Oversight and auditing
• Data minimisation and retention
• Incident transparency and accountability

For patients, trust is foundational. Once lost, it is difficult to restore.

Final Thoughts

The ManageMyHealth breach is not just a technical failure. It is a reminder that cybersecurity in healthcare is patient safety.

What matters now is:

• Honest accountability
• Strong regulatory follow through
• Better protections for sensitive health data
• Clear communication with the public

Only then can confidence in New Zealand’s digital health systems be rebuilt.