New Zealand’s Largest Health Portal Hit by Major Ransomware Attack
New Zealand’s largest health portal, Manage My Health, has suffered one of the country’s most significant cybersecurity incidents after hackers stole over 400,000 documents from approximately 126,000 patients. The attackers demanded a $60,000 ransom by 5am Tuesday, threatening to release the sensitive data if payment was not made.
The breach has triggered a government review to assess whether security protections were adequate and identify necessary improvements. Manage My Health is pursuing an injunction to prevent public disclosure of patient information and is collaborating with Health NZ, the Ministry of Health, the Privacy Commissioner, and General Practice to mitigate risks.
The incident aligns with a broader trend of financially motivated cybercrime in New Zealand. The National Cyber Security Centre (NCSC) reported in December that 40% of cyber incidents in 2024/25 were linked to criminal or financial motives more than double the previous year while 25% were suspected state-sponsored attacks. Financial losses from cybercrime rose from $21.6 million to $26.9 million, with the NCSC advising against paying ransoms, noting that many victims who comply do not recover their data and face further extortion.
The attack follows other high-profile ransomware incidents in New Zealand’s healthcare sector, including the 2021 Waikato DHB breach, which crippled five hospitals for weeks and exposed 4,000 patients’ and employees’ data on the dark web. The DHB had been warned about outdated security, including unsupported Windows XP systems, though a later report found vulnerabilities were not the primary cause. Similarly, Tonga’s health system was disabled for nearly a month in June 2025 after hackers demanded $1 million, forcing reliance on manual records until Australia assisted in restoration.
The NCSC’s latest report highlights the growing threat of AI-driven attacks, which lower the technical barrier for cybercriminals while overwhelming traditional security measures. It also underscores the risks of supply chain attacks, where third-party vendors with weaker security become entry points for breaches. A 2022 attack on Mercury IT, for example, disrupted access to 14,500 coronial files and 5,500 health records held by Health NZ and the Ministry of Justice, though no unauthorized access was confirmed.
Beyond healthcare, New Zealand has faced other major breaches, including:
- Qantas (2025): Data from 5.7 million customers, including names and frequent flyer details, was stolen in a global attack.
- Nissan (2024): 100,000 customers in Australia and New Zealand had driver’s licenses, passports, and tax files exposed, with some data published on the dark web.
- Latitude Financial (2023): Over 14 million documents, including 1 million NZ driver’s license numbers and 90,000 bank account details, were stolen in what was then New Zealand’s largest breach.
- NZX (2020): Repeated DDoS attacks halted trading for nearly a week, disrupting the stock exchange.
- Parliament (2021): A state-sponsored hack by APT40, allegedly linked to China, targeted parliamentary systems but was contained by the NCSC.
While not all incidents were deliberate such as the 2024 CrowdStrike outage, which caused global IT disruptions New Zealand’s cybersecurity landscape remains under pressure from both criminal and state-backed threats. The Manage My Health breach serves as a stark reminder of the vulnerabilities in critical infrastructure, particularly as attackers increasingly exploit unpatched systems, weak authentication, and third-party risks.
Ministry of Health New Zealand cybersecurity rating report: https://www.rankiteo.com/company/ministry-of-health-new-zealand
Latitude Health cybersecurity rating report: https://www.rankiteo.com/company/latitude-health-ai
"id": "MINLAT1773852600",
"linkid": "ministry-of-health-new-zealand, latitude-health-ai",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '126,000 patients',
'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'Manage My Health',
'type': 'Health Portal'}],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '400,000 documents',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information, medical records)',
'type_of_data_compromised': 'Patient records, sensitive '
'health documents'},
'description': 'New Zealand’s largest health portal, Manage My Health, '
'suffered a significant cybersecurity incident after hackers '
'stole over 400,000 documents from approximately 126,000 '
'patients. The attackers demanded a $60,000 ransom and '
'threatened to release sensitive data if payment was not made.',
'impact': {'brand_reputation_impact': 'Government review triggered to assess '
'security protections',
'data_compromised': '400,000 documents',
'identity_theft_risk': 'High (sensitive patient data exposed)',
'legal_liabilities': 'Pursuing an injunction to prevent public '
'disclosure of patient information',
'operational_impact': 'Collaboration with Health NZ, Ministry of '
'Health, Privacy Commissioner, and General '
'Practice to mitigate risks'},
'investigation_status': 'Ongoing',
'motivation': 'Financial',
'ransomware': {'data_exfiltration': 'Yes', 'ransom_demanded': '$60,000'},
'references': [{'source': 'National Cyber Security Centre (NCSC) Report'}],
'regulatory_compliance': {'legal_actions': 'Injunction pursued to prevent '
'public disclosure',
'regulatory_notifications': 'Privacy Commissioner '
'notified'},
'response': {'third_party_assistance': 'Health NZ, Ministry of Health, '
'Privacy Commissioner, General '
'Practice'},
'stakeholder_advisories': 'Government review to assess security protections '
'and identify improvements',
'title': 'New Zealand’s Largest Health Portal Hit by Major Ransomware Attack',
'type': 'Ransomware'}