ManageMyHealth (MMH), New Zealand’s leading patient portal serving approximately 1.8 million users, disclosed a significant cyber security incident on December 30, 2025, involving unauthorized access to the “Health Documents” module. This breach, affecting an estimated 6-7% of users (roughly 108,000-126,000 individuals), prompted swift containment, legal action, and coordinated notifications under the Privacy Act 2020 and Health Information Privacy Code. No core patient database or clinical systems were compromised, and Health NZ confirmed its infrastructure remained unaffected.
Incident Timeline
- December 30, 2025: Breach detected and contained; initial notifications to Privacy Commissioner, NZ Police, and Health NZ.
- December 31, 2025-January 1, 2026: Public disclosure of scope; ransomware group claims responsibility, demands $60,000 (deadline passes without payment).
- January 3, 2026: Forensics confirm Health Documents module isolation; legal action initiated; notifications to practices/PHOs/GPs begin.
- January 5, 2026: High Court injunction granted against data leaks; direct patient comms rollout; dedicated helpline announced; MoH review commissioned.
- Ongoing: Independent forensics by cyber specialists; monitoring leak sites; daily updates via MMH site.
Technical Details and Scope
The compromise targeted only the Health Documents module, not the full app, core database, or doctor credentials.Affected data includes sensitive health documents (e.g., test results, referrals, notes) from multiple providers, with exact contents under forensic verification. Key mitigations:
- Security gap identified and patched, independently verified.
- Enhanced login checks, rate limiting, and re-secured document storage.
- No evidence of data exfiltration or alteration to date
| Aspect | Details | Status |
|---|---|---|
| Users Affected | ~108k-126k (6-7% of 1.8M) | List finalized; notifications commencing |
| Data Types | Health documents only | Forensics confirming specifics |
| Systems Impacted | Health Documents module | Contained; platform operational |
| Attribution | Ransomware actor (unnamed) | Police investigation; no ransom paid |
Response and Remediation Efforts
MMH engaged external cyber forensics, coordinated with Health NZ, GPNZ, Privacy Commissioner, and NZ Police. Actions include:
- High Court injunctions for takedown notices on leak sites.
- Provider portal access for GPs to view affected patients.
- Dedicated support: [email protected], upcoming 0800 helpline, online helpdesk.
- Sector-wide comms to avoid confusion from multi-provider notifications.
Government response features a Ministry of Health review, welcomed by MMH for sector-wide improvements.
Recommendations for Users and Providers
Patients face risks of identity theft, extortion, or medical fraud; monitor for unusual bills/claims.
- Immediate Steps:
- Enable 2FA (Google/Microsoft Authenticator) at app.managemyhealth.co.nz/myaccount/two-step-verification.
- Reset password; watch for phishing/scams—verify via official channels only.
- Report suspicious activity to police.govt.nz or ncsc.govt.nz.
- Monitoring: Review accounts weekly; contact providers for unrecognized activity.
- Providers: Use secure portal for patient lists; prepare for inquiries with MMH guidance.
Regulatory and Broader Implications
Under NZ Privacy Act, MMH as data controller leads notifications, with multi-agency coordination for sourced documents.This incident underscores vulnerabilities in health portals amid rising ransomware targeting healthcare (e.g., no PII dump confirmed yet).Lessons for global CISOs: prioritize module segmentation, rapid forensics, and transparent phased comms.
For updates, visit https://managemyhealth.co.nz/faqs-cyber-breach/. This analysis draws from official statements as of January 5, 2026—check sources for latest developments.
