Hackers Access 400,000 Medical Files in Breach of New Zealand Patient Portal

The email arrived just after lunch on a workday, blandly titled “Important information about your health records.”

For thousands of New Zealanders, opening it meant discovering that documents they had shared in confidence with their doctors — hospital discharge summaries, specialist referrals, counseling letters and lab results — may now be in the hands of cybercriminals.

In late December, attackers broke into Manage My Health, the country’s largest online patient portal, and accessed a cache of more than 400,000 medical documents. The breach has exposed an estimated 6% to 7% of the platform’s 1.8 million registered users, turning a private company’s security failure into a national test of how New Zealand protects health information in an increasingly digital system.

Manage My Health, often written as ManageMyHealth or MMH, is not a government app. It is a privately run portal used by general practices across the country, allowing patients to view test results, request prescriptions, book appointments and exchange documents with their clinics.

For many people, however, MMH was their main doorway into the public health system — and they assumed the state was guarding it.

Breach detected on December 30

MMH says it became aware of the incident on Dec. 30, 2025, after a technology partner alerted it to suspicious activity. In a series of public updates, the company said it moved quickly to block unauthorized access, preserve logs and bring in external forensic investigators.

The intruder, a data-extortion actor using the handle “Kazu,” later claimed responsibility on cybercrime forums, boasting of stealing more than 428,000 files — about 108 gigabytes of data — from the portal’s Health Documents module. The attacker claimed to have downloaded referral letters, hospital summaries, test reports and other uploaded files, and demanded US$60,000 in exchange for not releasing them.

Samples posted online to prove the hack’s authenticity appeared to include genuine New Zealand medical documents displaying patients’ full names, addresses, dates of birth and clinical information.

In its first public statement on Jan. 1, MMH said its investigation suggested that about 6% to 7% of users had documents in the affected module, equating to roughly 108,000 to 126,000 people. The company has not released a precise figure but maintains that its estimate has remained consistent.

Crucially, MMH and government agencies say there is no evidence so far that the core patient database — which holds demographic details, appointment records and prescription histories — was accessed, altered or destroyed. The company has also said it has found no sign that usernames and passwords were taken.

Health New Zealand, Te Whatu Ora, which runs public hospitals and national health IT systems, has emphasized that its own infrastructure, including the My Health Account digital identity service, was not involved in the breach. MMH operates on separate, private systems contracted by individual practices.

A narrow technical fault, wide human fallout

Forensic specialists engaged by MMH have told the company that the vulnerability that allowed access to the Health Documents module has been identified and fixed, and that the portal is now operating securely. MMH says the “specific gap” has been closed and independently tested.

But while the technical issue may be contained, the consequences of the exposed documents are likely to play out over months or years.

The affected module — sometimes branded “My Health Documents” — holds files that patients or clinics upload, including referral letters, hospital discharge notes, imaging reports, external correspondence and scanned documents. Some date back several years. In some cases, files relate to patients whose practices have since moved off the MMH platform, raising questions about how long data was retained and how it was handled when clinics ended their contracts.

Privacy advocates and victim support workers say the nature of those documents makes this breach more than just a numbers story.

Claire Buckley, an independent advocate for people affected by sexual and family violence, said records within the stolen cache may include protection-order documents, court-related correspondence and intimate counseling notes.

“For survivors who disclosed abuse believing that those records would stay between them and their doctor, the idea that those documents might now be in criminal hands is terrifying,” Buckley said in comments reported by local media. “Even people who ultimately turn out not to be affected are living with the fear that they are.”

Online safety group Netsafe warned that detailed personal and health information could fuel highly targeted scams.

“With names, dates of birth, addresses and specific medical details, you can craft phishing emails or phone calls that are extremely convincing,” Netsafe chief online safety officer Sean Lyons said. “We expect to see attempts where someone appears to ring about a real hospital visit or test result, but the goal is to trick people into handing over money or more information.”

High Court injunction and privacy watchdog involved

As the scale of the breach became clear, MMH moved not just to shore up its systems but to limit the spread of the stolen data.

On Jan. 5, the company obtained interim injunctions from the High Court of New Zealand against unknown defendants. The orders prohibit people from publishing, sharing or dealing with the information taken from MMH and require anyone who has copies to delete them. While the injunction cannot force overseas criminals to comply, it gives local authorities a tool to act against anyone who reposts the data in New Zealand or on platforms subject to New Zealand law.

The Office of the Privacy Commissioner was formally notified of the incident on Jan. 1, in line with mandatory breach notification rules under the Privacy Act 2020. In a public statement, the watchdog said MMH had advised that about 6% to 7% of its 1.8 million users were affected and that it was working with the company “as they work through containing and investigating the breach, and identifying and notifying impacted users.”

Under the Act, organizations must take reasonable steps to protect personal information and must report breaches that are likely to cause serious harm to affected people and the commissioner “as soon as practicable.” The regulator has said it is too early to say what, if any, enforcement action might follow but has stressed that the information involved in this case is “highly sensitive health information.”

People who believe they have been affected are expected to raise complaints with MMH first; if they are not satisfied with the response, they can then go to the commissioner.

Minister orders review, warns against ransom payments

The breach has also reached the Cabinet table.

Health Minister Simeon Brown has described the incident as a “concerning breach of patient data,” while saying there has been “no clinical impact” on the delivery of health services because hospital and GP practice systems continued to function.

On Jan. 5, Brown directed the Ministry of Health to conduct an independent review of the MMH cyber incident and the responses of both the company and Health New Zealand. The review will look at the causes of the breach, whether adequate protections were in place, and what changes may be needed to prevent similar events.

“Patient data is incredibly personal and whether it is held by a public agency or a private company, it must be protected to the highest of standards,” Brown said in a written statement.

He also reiterated the government’s longstanding position that ransoms should not be paid in cyber incidents, aligning with guidance from law enforcement and cybersecurity agencies that paying can encourage further attacks and does not guarantee data will be deleted.

Opposition health spokesperson Dr. Ayesha Verrall said Manage My Health users “have every right to be concerned” and argued that patients should have been contacted more quickly once the breach was identified.

Notifications roll out to clinics and patients

MMH says it has now identified all patients whose documents may have been accessed and has begun notifying both general practices and individuals.

From Jan. 5, practices were given access to a secure provider portal listing potentially impacted patients and the specific documents involved, so they could prepare to support those patients. On Jan. 7, MMH said it would start emailing patients directly within 24 hours, aiming to complete most notifications by early the following week.

The company has recommended that users enable two-factor authentication on their accounts, such as an authentication app or biometric login, and remain alert to suspicious messages or calls. It continues to state that it has no evidence of stolen passwords, but it has encouraged password resets as a precaution.

A test for digital health trust

The Manage My Health breach is one of the largest and most sensitive cybersecurity incidents New Zealand has faced, in terms of the number of people affected and the intimate nature of the information involved.

It comes after the 2021 ransomware attack on Waikato District Health Board, which disrupted hospital operations, and amid a government drive to move more health services and information online. It also sits at the intersection of public expectations and private responsibility: a commercial vendor, deeply embedded in everyday health care, holding millions of records about public patients.

For now, the documents taken from MMH’s Health Documents module remain at the center of a criminal investigation and a web of legal and regulatory responses. For the patients whose histories sit in those files, the breach means living with an uncomfortable reality: while passwords can be changed and servers patched, the personal stories recorded in their medical documents cannot be taken back.