Government orders review into ManageMyHealth data breach

· RNZ
Health Minister Simeon Brown.Photo: RNZ / Mark Papalii

Health Minister Simeon Brown has commissioned a review by the Ministry of Health into the response to a cyber security breach into patient information on ManageMyHealth.

Hackers have threatened to release 400,000 stolen documents from patient files if ManageMyHealth doesn't pay by Tuesday.

In a statement, Brown said patient data is incredibly personal and whether it is held by a public agency or a private company, it must be protected to the highest of standards.

"I have decided to commission the Ministry of Health to lead a review of the ManageMyHealth and Health New Zealand's response."

The minister has written to the Director-General of Health asking that the review will commence by the end of the month.

The purpose of the review was laid out in Brown's letter, and included:

  • to assess the cause of the incident
  • to review the adequacy of data protections in place, and the response to the incident
  • to recommend any improvements required to prevent similar incidents in future

The letter set out that the review should begin as soon as possible, but noted it was "important that the review does not distract from the immediate response to the incident".

Brown said Health NZ had been advised there was no impact on its systems, and it was working with GPs to find out how patients may be affected.

The confirmation of a review came five days after ManageMyHealth claimed on New Year's Eve a cybersecurity breach involving unauthorised access to its systems had been "contained".

The company, which hosts New Zealand's largest patient information portal, the next day said up to 7 percent of its roughly 1.8 million registered users may have been impacted - about 126,000 people.

The hackers on Sunday threatened to leak more than 400,000 files unless the company paid them $60,000.

They had accessed the medical documents section of the ManageMyHealth app, and samples of documents for potential "buyers" included clinical notes, lab results, passport details and photos of people's bodies.

Brown said a team had been meeting daily to co-ordinate advice and support across government agencies and he had been receiving daily updates since 1 January.

"I know this breach will be very concerning to the many New Zealanders who use ManageMyHealth, and we need assurances around the protection and security of people's health data," Brown said.

"We must learn from this incident, to avoid any repeat events in the future."

He had earlier told RNZ it was a "deeply serious situation" and a "big wake-up call".

It was unknown where the hackers, calling themselves Kazu, were operating from, he said.

Meanwhile, ManageMyHealth has identified all patients who have had their health records stolen - but cannot yet say when they will all be told.

A spokesperson for ManageMyHealth said it hoped to have an update later in the week once all the communications with GPs and affected patients had been co-ordinated with the Ministry of Health, Health NZ, Privacy Commissioner and GPNZ.

"We are not waiting to determine who is affected - we know."

The company was working to provide "a timeframe for communications" by Tuesday.

Because the health documents originated from multiple sources, there were many different agencies with obligations under the Privacy Act and the Health Information Privacy Code to notify affected individuals.

"This requires co-ordination to ensure we meet our legal obligations and do not create confusion for patients by having different organisations contact them separately about the same incident."

The spokesperson said it would "not be appropriate to comment" on specific technical matters while the review was ongoing.

"What we can confirm is that we became aware of this incident on 30 December when we were notified by a partner, and we notified the relevant authorities that same day. The specific vulnerability that allowed unauthorised access has been identified, patched, and independently verified by external cybersecurity specialists."

Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.

Related Stories

ManageMyHealth breach: Patients at risk of identity theft, extortion - expertsThe hackers say they will leak more than 400,000 files if a ransom isn't paid, in what an expert says is "the worst data breach that I recall seeing in New Zealand".Ruth Hill, 04 Jan 2026ManageMyHealth says code fixed, security tightened after hackManageMyHealth says it has received "independent confirmation" from IT experts that the flaws in its code have been fixed.03 Jan 2026ManageMyHealth reveals scope of data breachBetween 6 and 7 percent of the approximately 1.8 million registered users may have been affected.01 Jan 2026PSA says the privacy breach exposes risk of cutting IT experts in public healthThe PSA says the ManageMyHealth security breach highlights the risk of cutting IT experts in public health.02 Jan 2026