Manage My Health starts notifying affected practices after major cyber breach

Manage My Health, an online patient portal widely used by general practices in New Zealand, has started notifying affected practices of a cyber incident that impacted around 125,000 of its 1.8 million users.

Manage My Health was notified “of a serious cybersecurity breach” that involved unauthorized access to its "My Health Documents" module in the app on December 30th, 2025, which was then publicly disclosed on January 1st.

In response, the company proactively secured the platform, engaged cybersecurity and forensic specialists, and informed the Office of the Privacy Commissioner.

Based on the current information, the incident was limited to roughly 6-7% of its 1.8 million registered users whose data was stored in the ‘My Health Documents’ module on the Manage My Health app.

The accessed data reportedly belongs to roughly 45 general practices in Northland, including some clinical discharge summaries and historical clinical referral records between six and eight years old, as well as health-related information uploaded by patients. News reports suggest that 355 "referral-originating" GP practices were also indirectly impacted by the breach.

The company has now notified the first group of affected general practices and unaffected practices in a communication, and is working on a process to inform practices that have left Manage My Health.

The ransomware group Kazu claimed responsibility for the attack and demanded a US$60,000 ransom within 48 hours. The hackers initially released a sample of stolen data, but although the deadline is believed to have expired as of Thursday (and then reportedly moved to Friday morning), no further information has been released.

Manage My Health has obtained injunction orders from the High Court to block third parties from accessing any stolen data. According to RNZ, mentions of Manage My Health have been removed from an account allegedly belonging to Kazu on Wednesday morning.

Governments around the world are strongly urging companies to avoid paying ransoms, and some countries are implementing a ban on ransom payments.

“We sincerely apologise for the pain and anxiety this incident has caused to our providers and patients, as a result of this activity against our systems,” Manage My Health said.