Table of Contents
Summarised by Centrist
A cyberattack on the ManageMyHealth patient portal may have exposed sensitive personal health information of about 126,000 New Zealanders.
Health Minister Simeon Brown said affected patients should be notified as quickly as possible, as authorities work with the privately operated platform to assess the damage and contain further risk.
The breach occurred on December 29, when attackers calling themselves “Kazu” gained unauthorised access to ManageMyHealth, an online system used by some general practices to share test results, appointment information, and clinical notes with patients.
The attackers claim to possess hundreds of thousands of files and have demanded a ransom, threatening to release more data if payment is not made.
Brown said Health NZ was assisting ManageMyHealth with a “rapid notification” plan so patients could be told what information of theirs may have been compromised.
The ransom deadline has since passed, with hackers claiming to hold more than 400,000 files, though no further data has been released.
General practice groups say patients remain anxious, and GPs are fielding a high volume of queries. At the same time, ManageMyHealth has acknowledged communication shortcomings and says it will issue daily updates as the police investigation continues.
Brown confirmed the company had also sought a court injunction to prevent any republication of stolen data.
The minister described the attackers as criminals seeking financial gain and reiterated the government’s general position against paying ransoms, noting there is no assurance stolen data would be deleted even if payment were made.
Brown has instructed the Ministry of Health to begin a formal review before the end of January.
Health NZ has advised that its own systems were not affected by the attack. General practices using ManageMyHealth remain open and operational, while officials work with primary care providers to clarify the potential impact on patients.
Editor’s note: Following publication, the story prompted a large volume of reader reaction on social media, much of it linking the ManageMyHealth breach to broader unease about digitised personal data and proposed digital ID systems.
Commenters repeatedly framed the incident as a warning about centralised databases, with remarks such as “Just imagine if we had a digital ID for ‘safety’, and that database got hacked,” and “This should be a warning for anyone who thinks that Digital ID is for our benefit, or a good idea.”
