A comprehensive analysis of how 126,000 patients had their medical data compromised in one of New Zealand’s largest healthcare breaches

Executive Summary

On December 30, 2025, New Zealand’s largest patient portal, ManageMyHealth, discovered unauthorized access to its systems that would ultimately expose the sensitive medical data of approximately 126,000 patients—roughly 6-7% of its 1.8 million registered users. The breach, attributed to a cybercriminal group using the alias “Kazu,” resulted in the exfiltration of 108GB of data comprising 428,000+ medical files, including hospital discharge summaries, referral letters, and patient-uploaded health documents spanning 2017-2019.

The incident has exposed critical vulnerabilities in New Zealand’s healthcare data infrastructure and sparked a government review, widespread criticism of the company’s response, and serious questions about the security posture of third-party healthcare providers managing sensitive patient information.

The Breach: What Happened

Discovery and Initial Response

ManageMyHealth became aware of the cyber incident on December 30, 2025, after being notified by a partner organization. The company immediately engaged independent cybersecurity and forensic specialists, secured the affected platform features, and notified key stakeholders including:

  • New Zealand Police- Office of the Privacy Commissioner- Health New Zealand (Te Whatu Ora)- National Cyber Security Centre

The breach was limited to the “My Health Documents” module—a feature that stores:

  • Patient-uploaded files (correspondence, test results, medical reports)- Hospital discharge summary documents and clinical letters- GP referral letters to specialists and other healthcare providers

Critically, the company confirmed that the core patient database, user credentials, and the primary “Health Records” module (containing appointment information and prescriptions managed by GPs) were not compromised.

The Threat Actor: Kazu

On December 30, a cybercriminal group using the alias “Kazu” claimed responsibility for the attack via a cybercrime forum, demanding a ransom of $60,000 USD (approximately NZ$104,000). The group threatened to sell the stolen data if payment wasn’t received by January 15, 2026.

In a concerning escalation on January 3, Kazu posted on Telegram that all stolen data would be released within 48 hours if payment wasn’t made—effectively moving the deadline to approximately January 5.

Kazu has an established track record of targeting healthcare and government institutions globally. Previous alleged victims include:

  • Nepal Ministry of Education (July 2025): 1.4TB of student data stolen- Doctor Alliance, Texas (November 2025): 1.24 million files, $200,000 ransom demand- Nepali Police: Loss of photos, passports, and personal identification data- Multiple targets across Argentina, Bolivia, Costa Rica, Iran, Kuwait, Mauritania, Mexico, Sri Lanka, Thailand, and Venezuela

In interviews with New Zealand media, someone claiming to be Kazu stated they target healthcare companies specifically and set ransoms at “affordable levels” that most targeted organizations end up paying.

Technical Analysis: How the Breach Occurred

Attack Vector and Method

According to CEO Vino Ramayah in interviews with RNZ, the attackers gained access “through the front door” using stolen credentials. This credential-based intrusion represents a relatively unsophisticated attack method compared to advanced persistent threats or zero-day exploits.

Cybersecurity expert Dr. Abhinav Chopra identified approximately 17 different security controls that were not properly implemented, suggesting systemic security failures rather than a single point of compromise.

Security Posture Deficiencies

Independent security analysis revealed multiple concerning gaps in ManageMyHealth’s cybersecurity infrastructure:

1. DMARC Configuration Failures Vimal Kumar, senior lecturer at Waikato University’s Cyber Security Lab, highlighted that Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols were not properly configured—a relatively simple security measure that helps prevent email spoofing and phishing attacks.

“If the DMARC which is fairly easy to set up has not been set up, then what other things were not being done properly?” Kumar noted, adding that while DMARC wasn’t directly related to this breach, it indicated broader security posture problems.

2. Previous Warning Signs The Office of the Privacy Commissioner revealed on January 7, 2026, that they received an anonymous email in June 2025—six months before the breach—alleging that names, email addresses, and passwords were exposed in the ManageMyHealth platform. This early warning appears to have gone unheeded.

3. Data Retention Issues Multiple GP practices reported being unaware that ManageMyHealth still stored patient records after they had discontinued using the service years earlier. College of GPs president Luke Bradford noted his practice stopped using ManageMyHealth “several years ago” but had no idea records were still being stored after the relationship ended.

ManageMyHealth confirmed they do not automatically delete patient accounts or data when a practice stops using the platform, creating an expanding attack surface of potentially outdated or orphaned data.

The Timing: Holiday Period Exploitation

The breach occurred during the New Year’s holiday period—a deliberately chosen window when organizational security monitoring and incident response capabilities are typically reduced. Cloudflare Radar data showed New Zealand experienced elevated attack activity during the holiday period, with domestic ISP attack sources rising 63.5% to 77.3% during the shutdown period.

Security researcher Daniel Ayers characterized the breach as “catastrophic on the New Zealand scale” and noted that attackers routinely exploit reduced staffing and monitoring during holiday periods.

Impact Analysis: Who Was Affected

Geographic Distribution

The breach had disproportionate impact on New Zealand’s Northland region:

  • Northland: Approximately 86,000 affected patients across 45 GP practices- Nationwide: 355 “referral-originating” GP practices across multiple regions- Total affected: 125,000-126,000 patients (approximately 6-7% of 1.8 million registered users)

Northland was particularly impacted because it’s the only region in New Zealand where Health NZ (the government’s public healthcare provider) uses ManageMyHealth to share information with patients, creating a concentration of sensitive government health data on the platform.

Types of Compromised Data

The breach exposed multiple categories of highly sensitive medical information:

Hospital Discharge Summaries (Northland region, 2017-2019)

  • Clinical letters and treatment summaries- Diagnostic information- Medication lists and treatment plans- 6-8 year old data affecting patients who may have since relocated

GP Referral Records (2017-2019)

  • Specialist referrals with medical justifications- Clinical observations and diagnoses- Patient medical histories- Treatment recommendations

Patient-Uploaded Documents

  • Personal health records- Test results and imaging reports- Medical correspondence- Home monitoring data (blood pressure, weight recordings)- Address changes and personal updates

Vulnerable Populations

Emeritus Professor Murray Tilyard, appointed as ManageMyHealth’s honorary clinical advisor following the breach, highlighted that deceased patients were among those whose records were compromised. He emphasized the need to identify and contact next of kin, as they themselves may be vulnerable to related risks.

Advocacy organizations for survivors of sexual violence and family harm warned that the breach could be particularly distressing or re-traumatizing for individuals whose medical records contained documentation of abuse, assault, or domestic violence.

Disability advocate Blake Forbes expressed deep concern about the anxiety caused: “For me it’s causing, from a personal perspective, and I know a lot of friends are like this as well, it’s causing me a lot of anxiety, their GPs don’t even know what’s going on.”

Response Failures: A Timeline of Confusion

December 30, 2025: Breach Discovery

ManageMyHealth notified of unauthorized access by partner organization. Company immediately begins containment and forensic investigation.

December 31, 2025: Public Awareness

National media begins reporting the breach investigation.

January 1, 2026: Official Confirmation

ManageMyHealth publishes first public statement confirming the breach and preliminary impact estimates (6-7% of users).

January 3, 2026: Ransom Escalation

Kazu escalates threat on Telegram, demanding payment within 48 hours or all data will be released.

January 5, 2026: Government Response

Health Minister Simeon Brown orders Ministry of Health review and describes breach as “incredibly concerning.” ManageMyHealth obtains High Court injunction to prevent data dissemination.

January 6-8, 2026: Notification Chaos

GP practices begin receiving notification. Patients report website crashes, conflicting information, and communication failures.

January 8, 2026: Patient Notifications Begin

First 50% of affected patients begin receiving email notifications—nine days after the breach was discovered.

Criticism of Response

The College of GPs issued scathing criticism of ManageMyHealth’s handling of the incident. President Luke Bradford described the response as “shambolic, frustrating and slow.”

“Patients are really frustrated, GPs are frustrated, there’s mixed amounts of information coming out,” Bradford said. “Some practices are being told the number of patients they have affected but not which patients, my practice for instance was told we had 59 patients but not the patients’ names, some practices are being given the patients’ names.”

Key Response Problems

1. Delayed Notifications Vimal Kumar characterized the nine-day delay before patient notifications as “shocking.” “The company was made aware of this on 30th of December and they are reaching out to their users, people who have been affected now,” he said. “It’s shocking, and people are worried about the safety of their data and their own well-being.”

Under most healthcare data protection frameworks globally, organizations face strict breach notification timelines. While New Zealand’s Privacy Act 2020 doesn’t specify an exact timeline beyond “as soon as practicable,” the nine-day delay contrasts sharply with regulations in other jurisdictions. The U.S. HIPAA framework requires notification within 60 days, though regulatory enforcement in 2025 has shown authorities penalizing organizations that wait even a fraction of that time. Organizations should consult the U.S. State Breach Notification Requirements Tracker for comprehensive timelines across jurisdictions.

2. Contradictory Information Multiple patients reported receiving conflicting messages. One Auckland patient, Barbara, told RNZ she initially received an email stating her data had not been impacted, only to receive a follow-up email two days later confirming she was affected.

3. Website Crashes When affected patients attempted to access the ManageMyHealth platform to change passwords or check their breach status, many encountered website crashes due to overwhelming traffic. Barbara reported: “I got part way through and then there was a notification saying the website was down, I presume everybody who’s just been notified was trying to change their password immediately and it was overloaded.”

4. Inadequate Infrastructure Preparation The 0800 helpline established for affected patients struggled with call volume. Patients overseas were told they could no longer use the app due to “security reasons,” and some received confusingly blank emails from the company.

5. Inconsistent GP Communications Northland GPs expressed particular frustration at conflicting information. Some practices received patient counts but not names, others received complete lists, creating confusion about how to support concerned patients.

6. Communication Failures On January 5, ManageMyHealth acknowledged in an update: “We acknowledge we could have done a better job at communication, however, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients.”

High Court Injunction

On January 5, 2026, ManageMyHealth secured interim High Court injunction orders that:

  • Restrain unknown defendants and third parties from publishing, distributing, or dealing with stolen data- Require anyone with access to stolen data or information obtained from it to immediately delete it- Mandate immediate deletion and takedown of any publications or links to copies of the affected dataset

The presiding judge stated that the documents contained highly sensitive and confidential medical information and that further disclosure posed serious risk to affected individuals. Following the injunction, online posts associated with the attackers referencing the data were removed.

Government Review

Health Minister Simeon Brown commissioned an urgent Ministry of Health review covering:

  • The cause and scope of the breach- Data protections that were (or weren’t) in place- ManageMyHealth’s defenses and security posture- Wider impacts to data access across the health system- Third-party access to health data across the healthcare sector- The response by both ManageMyHealth and Health New Zealand

Brown confirmed the government was “throwing a significant amount of resource, especially within Health New Zealand and General Practice New Zealand, at addressing this and supporting Manage My Health as they respond to this incident.”

Privacy Commissioner Investigation

The Office of the Privacy Commissioner is conducting a formal investigation under the Privacy Act 2020 and Health Information Privacy Code. The Commissioner’s office had been notified of the breach on December 30 and remained in active contact throughout the response.

On January 7, the Privacy Commissioner issued guidance for affected patients on protective measures and what to watch for regarding identity theft, fraud, and targeted phishing.

Broader Policy Implications

The Public Service Association noted that the breach occurred amid reduced investment in digital and IT expertise in the health sector. PSA Secretary Fleur Fitzsimons called the breach “a chilling reminder of how the Government blundered in cutting the jobs of many IT experts safeguarding the public health system.”

The incident followed Health NZ’s proposal to remove 23 digital services roles—28% of the digital workforce—raising questions about the government’s cybersecurity priorities in healthcare.

Risk to Affected Individuals

Immediate Threats

Cybersecurity experts and consumer protection organizations warned that affected individuals face multiple risks:

Identity Theft and Fraud Dr. Abhinav Chopra warned that stolen personal health information could be used for identity fraud: “Using this information, with phone banking and others, you can easily get access to a number of bank accounts and transfer money.”

Targeted Phishing and Impersonation Netsafe, New Zealand’s online safety organization, advised ManageMyHealth users to be especially cautious of emails or messages containing personal information, as attackers could craft highly targeted phishing campaigns using medical context.

Extortion and Blackmail Medical records often contain sensitive information about mental health conditions, substance abuse treatment, sexual health, abortion services, fertility treatment, or documentation of abuse. This information could be weaponized for extortion.

Re-traumatization For survivors of sexual violence, family harm, or other trauma whose medical records document those experiences, the breach represents potential re-victimization if that information is released or used maliciously.

Long-term Consequences

Healthcare data breaches create long-lived harm that extends far beyond immediate financial fraud:

  • Medical records cannot be changed like credit card numbers- Sensitive health information retains value on dark web markets indefinitely- Victims may face discrimination in employment, insurance, or personal relationships if health conditions are disclosed- The psychological impact of medical privacy violations can be severe and lasting

ManageMyHealth’s guidance to affected patients included monitoring for:

  • Medical bills or insurance claims they don’t recognize- Unexpected letters from healthcare providers- Suspicious contact from people claiming to have their health information- Unusual account activity or access attempts

Broader Healthcare Cybersecurity Implications

New Zealand’s Healthcare IT Vulnerability

The ManageMyHealth breach is not an isolated incident. In January 2026, a second healthcare provider, CanopyHealth, revealed it had been targeted in a cyberattack in July 2025—a delay in disclosure that infuriated clients.

Additionally, New Zealand’s largest private oncology provider took six months to notify patients of a cyberattack, with independent security scans revealing similar DMARC configuration failures to those found at ManageMyHealth.

This pattern mirrors global healthcare cybersecurity trends in 2025, where healthcare breaches remained the costliest for the 15th consecutive year despite a reduction in average costs, and the UK’s healthcare cyber crisis which saw unprecedented attacks on NHS infrastructure. Major incidents like the Aflac data breach exposing 22.65 million records demonstrated how sophisticated threat actors like Scattered Spider systematically targeted the healthcare and insurance sectors throughout 2025.

The Third-Party Risk Problem

ManageMyHealth is a private company operating critical healthcare infrastructure. While GP practices can access some government funding for enrolled patients, they are private businesses that independently choose their technology partners. This creates a fragmented security landscape where:

  • Individual practices may lack resources for comprehensive security assessments of vendors- Patients have no control over or visibility into third-party data security practices- Centralized government healthcare systems (like Health NZ) interface with numerous private sector portals- Data retention policies may not align with patient expectations or clinical relationships

The risks inherent in third-party healthcare relationships have been demonstrated repeatedly in 2025. The Conduent ransomware attack exposed over 10.5 million Americans’ medical data when a business process outsourcing provider was compromised, affecting Blue Cross Blue Shield of Montana and numerous other healthcare organizations despite their own systems remaining secure. Similarly, the SimonMed Imaging breach through a vendor compromise affected 1.2 million patients.

ISO Certification Limitations

ManageMyHealth held both ISO 9001 (quality management) and ISO 27001 (information security management) certifications at the time of the breach. The company stated it has “quality assurance processes with regular testing of our systems” and “continuously monitors and upgrades its security and data protection systems.”

However, the breach demonstrates that ISO certification alone does not guarantee adequate security. The presence of basic misconfigurations (like DMARC) and the success of a credential-based attack suggest that security processes were not effectively implemented or monitored.

The Ransom Payment Question

ManageMyHealth declined to comment on whether it paid or would pay the ransom, citing the ongoing police investigation. However, the company’s January 9 update included explicit guidance against ransom payments:

“Payment does not guarantee that you will get your data back, may breach sanctions, and creates harm to others by providing funding for criminal activities.”

This guidance aligns with recommendations from cybersecurity experts and law enforcement globally, who emphasize that ransom payments:

  • Fund additional criminal activities- Provide no guarantee of data deletion- May violate international sanctions depending on the recipient- Incentivize future attacks on the payer and other organizations

Key Lessons and Recommendations

For Healthcare Organizations

1. Implement Comprehensive Access Controls Credential-based attacks should be prevented through:

  • Multi-factor authentication (MFA) on all access points- Privileged access management (PAM) for administrative accounts- Regular access reviews and deprovisioning of inactive accounts- Geographic and behavioral anomaly detection

2. Address Basic Security Hygiene Before pursuing advanced security measures, ensure fundamentals are properly configured:

  • DMARC, SPF, and DKIM email authentication protocols- Regular vulnerability assessments and penetration testing- Timely patching and system updates- Network segmentation to limit breach scope

3. Establish Robust Data Governance

  • Clear data retention policies aligned with legal requirements and clinical need- Automated processes for data deletion when relationships end- Regular audits of stored data and access permissions- Transparency with patients about data storage and third-party access

4. Develop Incident Response Capabilities

  • Pre-established communication templates and notification processes- Regular incident response drills and tabletop exercises- Scalable infrastructure to handle surge traffic during incidents- Clear roles and responsibilities across stakeholders

5. Monitor and Respond to Early Warnings The June 2025 anonymous report to the Privacy Commissioner should have triggered immediate investigation. Organizations must:

  • Treat all security reports seriously, even anonymous ones- Conduct thorough investigations of potential exposures- Document findings and remediation actions- Report material findings to boards and relevant authorities

For Government and Regulators

1. Establish Minimum Security Standards Third-party healthcare providers should meet mandatory baseline security requirements verified through:

  • Regular independent security assessments- Penetration testing by qualified firms- Breach simulation exercises- Compliance audits beyond basic ISO certification

2. Improve Breach Notification Requirements Current notification timelines should be shortened with clearer expectations:

  • Initial notification to authorities within 24-72 hours- Public disclosure and patient notification within 72-96 hours where feasible- Standardized notification content and format- Consequences for delayed or inadequate notifications

Healthcare organizations globally face increasingly strict breach notification enforcement, with regulators imposing significant penalties for delays. The Q2 2025 Privacy & Data Protection Regulatory Enforcement Report documented unprecedented enforcement actions specifically targeting delayed breach notifications and inadequate risk assessments.

3. Invest in Public Healthcare IT Security The proposed cuts to Health NZ digital services staff occurred at a critical time. Government must:

  • Adequately resource cybersecurity functions in public healthcare- Provide security guidance and support to private healthcare providers- Establish sector-wide threat intelligence sharing- Fund security improvement programs for smaller practices

4. Review Third-Party Data Access The Health Ministry review should examine:

  • Vetting processes for healthcare technology vendors- Data minimization principles (storing only what’s necessary)- Contractual security requirements and accountability- Patient consent and control over third-party data sharing

Organizations must recognize that third-party vendor risk management has become a top enforcement priority globally, with regulators holding organizations accountable for their vendors’ security failures. Supply chain incident reporting and vendor security requirements must be integrated into procurement processes and contractual obligations.

For Patients and Healthcare Consumers

1. Understand Your Data Rights Patients should:

  • Ask healthcare providers which third-party systems store their data- Request information about data retention policies- Exercise rights to access and delete data where appropriate- Question whether data storage continues after changing providers

2. Practice Good Security Hygiene

  • Use unique passwords for healthcare portals- Enable multi-factor authentication where available- Monitor for suspicious medical bills or insurance claims- Be skeptical of unsolicited contact referencing health information

3. Respond Promptly to Breach Notifications When notified of a breach:

  • Change passwords immediately on affected accounts- Review recent account activity- Place fraud alerts with banks and credit agencies- Document any suspicious contacts or attempts at extortion

4. Advocate for Better Security

  • Ask healthcare providers about their security practices- Support regulatory improvements in healthcare data protection- Report security concerns to relevant authorities- Consider security posture when choosing healthcare providers

Conclusion: A Wake-Up Call for Healthcare Cybersecurity

The ManageMyHealth breach represents a critical failure in healthcare data protection that should serve as a wake-up call for New Zealand’s entire healthcare sector. The combination of basic security failures, inadequate incident response, and the sensitivity of compromised data creates a perfect storm of risk for affected patients.

Several factors made this breach particularly concerning:

The Attack Was Preventable: This wasn’t a sophisticated zero-day exploit or advanced persistent threat. It was a credential-based attack that should have been prevented by proper access controls and authentication mechanisms.

Early Warnings Were Ignored: The June 2025 anonymous report to the Privacy Commissioner represented a six-month window to identify and remediate vulnerabilities before the December breach.

Response Compounded the Harm: Delayed notifications, contradictory information, crashed websites, and inadequate support infrastructure added anxiety and confusion to an already distressing situation for affected patients.

The Data Is Permanently Compromised: Unlike financial data, medical records cannot be changed. The 126,000 affected individuals will live with the knowledge that their sensitive health information may be circulating indefinitely.

Systemic Vulnerabilities Remain: The breach exposed fragmentation in New Zealand’s healthcare IT security, with varying standards across private providers, inadequate third-party oversight, and insufficient investment in public healthcare cybersecurity.

As Health Minister Brown’s review progresses, several critical questions must be answered:

  • How can New Zealand ensure consistent security standards across public and private healthcare providers?- What regulatory changes are needed to prevent similar breaches?- How should the government balance private sector healthcare IT innovation with patient data protection?- What accountability mechanisms should apply to organizations that fail to protect sensitive health data?- How can the healthcare sector better prepare for the increasing sophistication and frequency of cyberattacks?

The global compliance enforcement landscape has intensified dramatically in 2025, with regulatory fines skyrocketing 417% in the first half of the year alone. Healthcare organizations face mounting pressure to demonstrate adequate data protection measures, with regulatory authorities increasingly holding executives personally accountable for systemic security failures.

For the 126,000 affected New Zealanders, the breach is not over. They face ongoing risks of identity theft, fraud, targeted attacks, and the psychological burden of knowing their most private health information may be in the hands of criminals. ManageMyHealth, Health New Zealand, and the government must ensure these individuals receive ongoing support, monitoring assistance, and swift notification of any secondary impacts.

The healthcare sector stores humanity’s most sensitive information—details of our vulnerabilities, struggles, treatments, and most private moments. Organizations entrusted with this data bear a profound responsibility to protect it. The ManageMyHealth breach is a stark reminder that in cybersecurity, as in medicine, prevention is far better than cure—and far less painful for those affected.

For context on the potential long-term consequences of healthcare breaches, Yale New Haven Health’s $18 million settlement following a 5.6 million patient breach and the Change Healthcare incident affecting 190 million individuals demonstrate the cascading legal and financial impacts that can follow major healthcare data compromises.

This analysis is based on public reporting, official statements, and independent security assessments available as of January 20, 2026. The incident remains under active investigation by New Zealand Police, the Privacy Commissioner, and the Ministry of Health.

References

  • ManageMyHealth Official Breach Updates and FAQs (managemyhealth.co.nz)- Radio New Zealand Coverage and Interviews (rnz.co.nz)- Office of the Privacy Commissioner Guidance (privacy.org.nz)- The Register, Infosecurity Magazine, Healthcare IT News reporting- Independent security analysis by BlackVeil Security, Waikato University Cyber Security Lab- New Zealand Ministry of Health statements- College of GPs public statements