New Zealand Health Data Breach: ManageMyHealth Targeted by Cyber Attack with Ransom Demand

A significant cyber security breach has compromised patient information held on ManageMyHealth, a privately operated patient portal used by various general practices across New Zealand. The breach was detected in the early morning hours of December 31, 2025, affecting health data stored within the system.

Health Minister Simeon Brown has initiated a formal review process through the Ministry of Health to examine the government's response to the incident. Brown emphasized the critical importance of protecting patient health information, regardless of whether it is held by public agencies or private companies, and stated that such data requires the highest standard of security protection.

The review process is set to commence no later than January 30, 2026. Brown indicated that while the review is important, the immediate priority remains focused on responding to the breach itself and maintaining coordination across government agencies. An Incident Management Team has been established and is meeting daily to coordinate response efforts and provide support across multiple government departments.

ManageMyHealth has confirmed that the incident has been contained and has identified all general practices that were impacted. The company stated that affected patients have been identified and is working to establish a timeline for communications regarding the breach. Because patient health documents originated from multiple sources, numerous agencies hold obligations under both the Privacy Act and the Health Information Privacy Code to notify individuals affected by the breach.

Health NZ has assembled an incident management team and is coordinating with the General Practice New Zealand association, the National Cyber Security Centre, and the Police Cyber Crime Unit to manage the breach and develop measures to prevent future incidents. ManageMyHealth is also pursuing legal action to protect the compromised data, with Health NZ providing support for these efforts.

Ransom Demand and Criminal Activity

The cyber criminals responsible for the breach have issued an ultimatum, demanding ManageMyHealth pay a $60,000 ransom by Tuesday or face the public release of all compromised data. According to statements made by the hackers in online forums, the group reduced their original deadline in response to ManageMyHealth's communication approach, which they characterized as inadequate. The hackers claimed that ManageMyHealth users had repeatedly requested clear explanations of what occurred but received minimal responses or only vague statements about ongoing discussions with partners.

The criminal group stated they were motivated solely by financial gain rather than political objectives, and indicated that upon payment, they would provide ManageMyHealth with a copy of the data, delete the information from their servers, and cease any related activity.

ManageMyHealth has stated that the ransom demand is a matter for law enforcement authorities, who have been notified of the situation.