Major Data Breach Exposes Health Records of Nearly 100,000 New Zealanders
Severity: High (Score: 69.0)
Sources: Waateanews, Thespinoff.Co.Nz, 1News.Co.Nz, Rnz.Co.Nz
Published: · Updated:
Keywords: health, manage, privacy, commissioner, security, monitor, upgrades
Summary
In December 2025, a cyber attack on Manage My Health, a patient portal, compromised the sensitive health information of nearly 100,000 New Zealanders, primarily in Northland. The Privacy Commissioner found that both Manage My Health and Health NZ failed to implement adequate security controls, breaching the Health Information Privacy Code. The breach was attributed to a combination of weak security systems and poor risk management practices. A hacker group named Kazu stole the data and threatened to release it unless a ransom was paid. The inquiry revealed that over 70% of affected individuals were from Northland, linked to a unique data-sharing arrangement. Compliance notices will be issued to both organizations to enforce security upgrades. The inquiry also recommended changes to the Privacy Act to hold third-party companies accountable for data security failures. Phase Two of the inquiry will assess the broader impacts of the breach, including consent and communication issues. Key Points: • Nearly 100,000 health records were compromised due to inadequate security at Manage My Health. • The breach primarily affected patients in Northland, with over 70% of victims from this region. • The Privacy Commissioner will monitor security upgrades and enforce compliance notices for Health NZ and Manage My Health.
Detailed Analysis
**Impact** Nearly 100,000 New Zealanders had sensitive health information exposed in the December 2025 breach, with approximately 91% of affected patients located in Northland, predominantly Māori. The data stolen included private medical records accessed via the Manage My Health patient portal, which is used by healthcare providers nationwide. The breach caused significant distress and anxiety among patients and has led to halted data flows from Northland hospitals to the portal. Health NZ and Manage My Health face compliance notices and are required to improve security safeguards. **Technical Details** The breach resulted from a cyber attack using compromised credentials to access the Manage My Health portal. Key failures included inadequate technical security safeguards, lack of systems to detect large-scale data access, poor monitoring, and insufficient risk management. No specific malware, CVEs, or infrastructure details were disclosed. The attack exploited weaknesses in third-party arrangements and the absence of independent security verification, particularly in the unique Northland hospital discharge data sharing process. **Recommended Response** Defenders should implement mandatory multi-factor authentication, enhance real-time monitoring, and strengthen access controls immediately. Conduct independent security testing and audits of third-party providers handling sensitive health data. Establish centralized approval and assurance processes for patient portals and enforce compliance with updated Privacy Act provisions holding third parties directly liable. Monitor for unusual data access patterns and ensure all security improvements are independently verified for effectiveness.
Source articles (5)
- Privacy commissioner to monitor security upgrades after Manage My Health hack — Rnz.Co.Nz · 2026-05-26
Manage My Health didn't have adequate security controls, the Privacy Commissioner has found. Photo: RNZ / Finn Blackwell Health NZ and its patient portal Manage My Health "failed in their responsibili… - Privacy commissioner to monitor security upgrades after Manage My Health hack — Rnz.Co.Nz · 2026-05-26
Manage My Health didn't have adequate security controls, the Privacy Commissioner has found. Photo: RNZ / Finn Blackwell Health NZ and its patient portal Manage My Health "failed in their responsibili… - #hauora: Privacy Commissioner Slams Health NZ And Manage My Health Over Massive ... — Waateanews · 2026-05-26
The Privacy Commissioner has found both Health New Zealand and Manage My Health failed to properly protect the sensitive health information of nearly 100,000 New Zealanders caught up in last year’s ma… - Damning health data breach reports released — Thespinoff.Co.Nz · 2026-05-26
Three reports on the Manage My Health cyber security breach were released today… so what happened exactly, asks Henry Oliver in today’s excerpt from The Bulletin. Late last year, Manage My Health (MMH… - ManageMyHealth warned before massive data breach – inquiry — 1News.Co.Nz · 2026-05-26
ManageMyHealth was warned security flaws that contributed to the country's largest health data breach, yet failed to act before a hacker stole the records of nearly 100,000 patients, a review has foun…
Timeline
- 2025-12-01 — Cyber attack on Manage My Health: A hacker group named Kazu stole sensitive health data from Manage My Health, affecting nearly 100,000 patients.
- 2026-05-26 — Privacy Commissioner releases inquiry findings: The inquiry found significant security failures by Manage My Health and Health NZ, leading to the data breach.
- 2026-05-26 — Compliance notices to be issued: The Privacy Commissioner announced compliance notices requiring Health NZ and Manage My Health to enhance security measures.
- 2026-05-26 — Recommendations for Privacy Act changes: The inquiry recommended amending the Privacy Act to hold third-party providers liable for data security failures.
Related entities
- Data Breach (Attack Type)
- Ransomware (Attack Type)
- Cereus Health Group (Company)
- Health New Zealand (Company)
- Health NZ (Company)
- Manage My Health (Company)
- ManageMyHealth (Company)
- Ministry Of Health (Company)
- New Zealand (Country)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- Healthcare (Industry)
- T1041 - Exfiltration Over C2 Channel (Mitre Attack)
- T1078 - Valid Accounts (Mitre Attack)
- T1190 - Exploit Public-Facing Application (Mitre Attack)
- T1567 - Exfiltration Over Web Service (Mitre Attack)
- Manage My Health Portal (Platform)