Manage My Health Data Breach Exposes Clinical Records of Northland Patients
A cybersecurity breach at Manage My Health, a New Zealand-based patient portal, has compromised historical clinical referral records dating from 2017 to 2019, affecting an undisclosed number of general practices and patients in the Northland region. The company has not publicly identified which GP clinics were impacted, leaving practices and patients seeking clarity.
Key Details:
- Who: Manage My Health, a digital health platform used by general practices, confirmed the breach but has not yet fully identified all affected users. The Privacy Commissioner has stated the company is responsible for direct notifications and support.
- What: Stolen data includes historical clinical records, though the exact scope—such as patient numbers and specific information exposed—remains unclear. Some practices report fluctuating or inconsistent details in breach reports.
- When: The breach occurred just before the new year, with an urgent review ordered by Health Minister Simeon Brown. A ransom deadline, initially set for January 15, has since been extended.
- Where: The incident primarily impacts Northland-based general practices, though the full extent of affected clinics is still under investigation. Some practices, like Ngāti Hine Health Trust, proactively contacted the small number of their patients registered with the portal.
- Why: The hacker, identified as Kazu, claims to be negotiating a ransom payment. A High Court injunction was granted to prevent further dissemination of the stolen data, though enforcement is limited outside New Zealand’s jurisdiction.
Impact on Practices and Patients:
- Paihia Medical Services reported over half of its 5,100 patients are registered with Manage My Health, with the clinic awaiting confirmation on how many were affected.
- Kensington Health described the situation as chaotic, citing poor communication from Manage My Health and shifting breach reports. The practice has since migrated to a new system but retains historical data unless patients manually cancel their accounts.
- Some clinics, including an unnamed Whangārei medical centre, opted not to comment publicly to avoid alarming patients amid ongoing uncertainty.
- Ngāti Hine Health Trust took a proactive approach, personally contacting affected patients—many of whom were vulnerable individuals—to assess harm and offer support.
- Mahitahi Hauora, Northland’s largest primary health organization, is coordinating a national response to ensure consistency across impacted practices.
Ongoing Developments:
Manage My Health has emphasized accuracy in its investigation, prioritizing data protection and direct communication with affected users. Meanwhile, the hacker’s Telegram account, which previously shared details of the breach, has had all related posts removed following the injunction. The company continues to work with authorities to mitigate the fallout.
Mahitahi Hauora cybersecurity rating report: https://www.rankiteo.com/company/mahitahi-hauora
"id": "MAH1767814456",
"linkid": "mahitahi-hauora",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (still being '
'determined)',
'industry': 'Healthcare',
'location': 'Paihia, Northland, New Zealand',
'name': 'Paihia Medical Services',
'size': '5100 patients (over half registered with '
'Manage My Health)',
'type': 'Medical Clinic'},
{'customers_affected': 'Unknown (numbers changing, lack '
'of communication)',
'industry': 'Healthcare',
'location': 'Northland, New Zealand',
'name': 'Kensington Health',
'type': 'Medical Clinic'},
{'customers_affected': '3 patients',
'industry': 'Healthcare',
'location': 'Moerewa, Whangārei, Kāeo, Kawakawa, New '
'Zealand',
'name': 'Ngāti Hine Health Trust',
'type': 'Health Trust'},
{'customers_affected': 'Unknown',
'industry': 'Healthcare',
'location': 'Whangārei, Northland, New Zealand',
'name': 'Unnamed Whangārei Medical Centre',
'type': 'Medical Clinic'},
{'customers_affected': 'Unknown (impacted practices '
'contacted)',
'industry': 'Healthcare',
'location': 'Northland, New Zealand',
'name': 'Mahitahi Hauora (member general practices)',
'type': 'Primary Health Organisation'}],
'customer_advisories': 'Affected users to be contacted directly by Manage My '
'Health with confirmation and next steps',
'data_breach': {'data_exfiltration': 'Yes (data allegedly sold on dark web)',
'personally_identifiable_information': 'Yes (patient health '
'records)',
'sensitivity_of_data': 'High (health data, including '
'sensitive/vulnerable patient '
'information)',
'type_of_data_compromised': 'Clinical referral records'},
'description': 'A cyber incident involving the exposure of historical '
'clinical referral records dating from 2017 to 2019. Manage My '
'Health is still identifying affected users and has not '
'publicly disclosed all details. The breach has impacted '
'multiple general practices in Northland, New Zealand, with '
'sensitive patient data compromised.',
'impact': {'brand_reputation_impact': 'Significant, with clinics expressing '
'distress over lack of clarity and '
'support',
'data_compromised': 'Historical clinical referral records '
'(2017-2019)',
'identity_theft_risk': 'High (sensitive health data exposed)',
'operational_impact': 'Clinics unable to determine affected '
'patients; delayed communication and '
'uncertainty',
'systems_affected': 'Manage My Health portal'},
'initial_access_broker': {'data_sold_on_dark_web': 'Allegedly (per hacker '
'Kazu)'},
'investigation_status': 'Ongoing (affected users still being identified)',
'motivation': 'Ransom',
'ransomware': {'data_exfiltration': 'Yes'},
'references': [{'source': 'Northern Advocate'},
{'source': 'New Zealand Herald'}],
'regulatory_compliance': {'legal_actions': 'High Court injunction granted',
'regulations_violated': 'Privacy Act (New Zealand)',
'regulatory_notifications': 'Privacy Commissioner '
'involved; Manage My '
'Health responsible for '
'notifying affected '
'users'},
'response': {'communication_strategy': 'Limited; clinics advised not to '
'proactively contact patients',
'containment_measures': 'High Court injunction to prevent '
'access/sharing of stolen data',
'recovery_measures': 'Identifying and contacting affected users; '
'working with a negotiator for ransom'},
'stakeholder_advisories': 'Clinics advised not to proactively contact '
'patients; coordinated national response for '
'Mahitahi Hauora members',
'threat_actor': 'Kazu (alleged hacker)',
'title': 'Manage My Health Data Breach',
'type': 'Data Breach'}