New Zealand’s Largest Health Data Breach Exposes 99,000 Patients Due to Preventable Security Failures
A preventable cyberattack on ManageMyHealth, a patient portal serving 1.8 million users across 680+ health centers, resulted in the theft of sensitive data belonging to 99,416 individuals one of New Zealand’s most damaging health sector breaches. The incident, which occurred on December 21, 2023, exposed clinical notes, intimate imagery, and passport scans, raising risks of blackmail and identity fraud.
Key Findings: A Breach Foretold
An independent security researcher warned the Ministry of Health in November 2023 about critical vulnerabilities in ManageMyHealth’s API security, with similar flaws flagged as early as December 2022. Despite these alerts, no evidence suggests the issues were fixed before the attack. The hacker, operating under the alias "Kazu", exploited a compromised user login and weak API controls to exfiltrate data an attack described as "neither technically sophisticated, nor particularly uncommon" by investigators.
The Privacy Commissioner, Michael Webster, determined that both ManageMyHealth and Health NZ breached the Privacy Act by failing to implement reasonable safeguards. Webster announced plans to issue compliance notices, the strongest enforcement tool available, against both organizations.
Impact and Response
- 91% of affected patients were based in Northland, with a disproportionate impact on Māori communities.
- Initial estimates suggested 127,000 individuals were exposed, later revised to 99,416.
- The hacker demanded US$60,000 (NZ$104,000) for the data’s return, though no mass release occurred. A police investigation remains ongoing.
- ManageMyHealth acknowledged the breach, apologized, and claimed the attack was limited to the "My Health Documents" section of its platform. The company has since implemented security upgrades, appointed an independent advisory board, and offered affected patients identity protection and mental health support.
Systemic Failures and Recommendations
A CyberCX report, commissioned by the Ministry of Health, found ManageMyHealth unprepared for such an incident, with significant control failings and misalignment with health information security frameworks. Patient notifications were criticized as "confused, overly optimistic, and inaccurate", with some unaffected users mistakenly alerted.
The review issued 12 recommendations, including:
- Mandatory penetration testing and external compliance assessments for ManageMyHealth.
- Stronger third-party supplier oversight by Health NZ, moving away from self-assessment models.
- Clearer protocols for patient notifications during breaches.
Broader Cybersecurity Reforms
The Ministry of Health confirmed system-wide improvements, including:
- Independent security assessments for key third-party suppliers.
- A desktop review of other major patient portals.
- A new action plan to strengthen cybersecurity expectations for vendors handling sensitive health data.
The breach underscored the need for proactive security measures and accountability in New Zealand’s health sector, with officials emphasizing that preventable incidents like this must not recur.
Source: https://www.1news.co.nz/2026/05/27/managemyhealth-warned-before-massive-data-breach-inquiry/
Manage My Health cybersecurity rating report: https://www.rankiteo.com/company/managemyhealth
"id": "MAN1779856181",
"linkid": "managemyhealth",
"type": "Breach",
"date": "12/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '99,416 individuals',
'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'ManageMyHealth',
'size': '1.8 million users across 680+ health centers',
'type': 'Patient portal'},
{'customers_affected': '99,416 individuals (indirectly)',
'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'Health NZ',
'type': 'Government health agency'}],
'attack_vector': 'Compromised user login and weak API controls',
'customer_advisories': 'Affected patients offered identity protection and '
'mental health support; notifications criticized for '
'inaccuracies',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '99,416',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (medical and personal data)',
'type_of_data_compromised': ['Clinical notes',
'Intimate imagery',
'Passport scans',
'Personally identifiable '
'information']},
'date_detected': '2023-12-21',
'description': 'A preventable cyberattack on ManageMyHealth, a patient portal '
'serving 1.8 million users across 680+ health centers, '
'resulted in the theft of sensitive data belonging to 99,416 '
'individuals, one of New Zealand’s most damaging health sector '
'breaches. The incident exposed clinical notes, intimate '
'imagery, and passport scans, raising risks of blackmail and '
'identity fraud.',
'impact': {'brand_reputation_impact': 'Significant reputational damage to '
'ManageMyHealth and Health NZ',
'data_compromised': 'Clinical notes, intimate imagery, passport '
'scans, personally identifiable information',
'identity_theft_risk': 'High (exposure of sensitive personal data)',
'legal_liabilities': 'Breach of Privacy Act; compliance notices '
'issued',
'operational_impact': 'Patient notifications were confused and '
'inaccurate; some unaffected users '
'mistakenly alerted',
'systems_affected': 'ManageMyHealth patient portal (My Health '
'Documents section)'},
'initial_access_broker': {'entry_point': 'Compromised user login'},
'investigation_status': 'Ongoing (police investigation)',
'lessons_learned': 'The breach highlighted systemic failures in cybersecurity '
'preparedness, third-party supplier oversight, and patient '
'notification protocols in New Zealand’s health sector.',
'motivation': 'Extortion (Ransom demand)',
'post_incident_analysis': {'corrective_actions': ['Security upgrades '
'implemented',
'Independent advisory board '
'appointed',
'Mandatory penetration '
'testing and external '
'compliance assessments',
'Stronger third-party '
'supplier oversight'],
'root_causes': ['Critical API security '
'vulnerabilities left unpatched '
'despite prior warnings',
'Lack of proactive security '
'measures and compliance with '
'health information security '
'frameworks',
'Inadequate third-party supplier '
'oversight by Health NZ']},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'US$60,000 (NZ$104,000)'},
'recommendations': ['Mandatory penetration testing and external compliance '
'assessments for ManageMyHealth',
'Stronger third-party supplier oversight by Health NZ, '
'moving away from self-assessment models',
'Clearer protocols for patient notifications during '
'breaches',
'Independent security assessments for key third-party '
'suppliers',
'Desktop review of other major patient portals',
'New action plan to strengthen cybersecurity expectations '
'for vendors handling sensitive health data'],
'references': [{'source': 'Privacy Commissioner (New Zealand)'},
{'source': 'CyberCX report (commissioned by Ministry of '
'Health)'}],
'regulatory_compliance': {'legal_actions': 'Compliance notices issued by '
'Privacy Commissioner',
'regulations_violated': ['Privacy Act (New '
'Zealand)'],
'regulatory_notifications': 'Yes'},
'response': {'communication_strategy': 'Criticized as confused, overly '
'optimistic, and inaccurate',
'containment_measures': 'Security upgrades implemented '
'post-breach',
'incident_response_plan_activated': 'Yes, but deemed unprepared',
'law_enforcement_notified': 'Yes (police investigation ongoing)',
'remediation_measures': 'Independent advisory board appointed; '
'identity protection and mental health '
'support offered to affected patients',
'third_party_assistance': 'CyberCX (independent security '
'review)'},
'stakeholder_advisories': 'Ministry of Health announced system-wide '
'improvements and reforms',
'threat_actor': 'Kazu',
'title': 'New Zealand’s Largest Health Data Breach Exposes 99,000 Patients '
'Due to Preventable Security Failures',
'type': 'Data Breach',
'vulnerability_exploited': 'Critical API security vulnerabilities'}