Massive Cyber Breach Exposes Health Data of Nearly 100,000 New Zealanders
Severity: High (Score: 71.0)
Sources: Rnz.Co.Nz, Scoop.Co.Nz, 1News.Co.Nz, Business.Scoop.Co.Nz, Waateanews
Published: · Updated:
Keywords: health, manage, privacy, commissioner, security, monitor, upgrades
Summary
In December 2025, a cyber attack on Manage My Health (MMH) led to the theft of sensitive health data from nearly 100,000 patients, primarily in Northland, New Zealand. The breach was attributed to inadequate security measures, including a lack of monitoring systems to detect unauthorized access. Hackers exploited vulnerabilities in MMH's application programming interface, using stolen credentials to access patient records. The Privacy Commissioner found both MMH and Health NZ breached the Privacy Act, leading to significant distress among affected individuals, particularly Māori communities. Compliance notices will be issued to both organizations to enforce security improvements. Reports indicate that the stolen data included clinical notes and personal documents, raising concerns about potential identity fraud and blackmail. The incident has prompted calls for stronger national oversight and security standards across the health sector. Key Points: • Nearly 100,000 patients' health data was stolen in a cyber attack on Manage My Health. • The breach was due to inadequate security controls and a lack of independent oversight. • Privacy Commissioner calls for stronger national security standards and accountability for third-party vendors.
Detailed Analysis
**Impact** Nearly 100,000 New Zealanders’ sensitive health data was exposed, with approximately 91% of affected patients located in Northland, many of whom are Māori. The breach involved private medical records, clinical notes, hospital discharge information, intimate imagery, and scans of personal identification documents. The incident caused significant distress and anxiety, particularly in Te Tai Tokerau, and has operationally burdened primary care providers and PHOs who supported affected patients. The breach also damaged public trust in digital health systems nationwide. **Technical Details** The attacker, using the alias "Kazu," exploited compromised legitimate user credentials obtained via malware to access the Manage My Health patient portal. The breach leveraged weaknesses in the portal’s API security and inadequate access controls, including the absence of multi-factor authentication at the time. The attack was not technically sophisticated but was facilitated by poor monitoring, insufficient risk management, and a lack of systems to detect large-scale data exfiltration. No specific CVEs or malware names were disclosed. **Recommended Response** Implement mandatory multi-factor authentication for all user access and strengthen real-time monitoring and alerting to detect abnormal data access patterns. Conduct comprehensive penetration testing and independent security audits of patient portals and third-party vendors. Establish centralized assurance and compliance programs for all digital health providers, with clear accountability and regular verification of security controls. Monitor dark web and threat actor communications for potential data leaks or further exploitation.
Source articles (11)
- #hauora: Cyber Review Reveals Major Failures Behind Massive Health Data Breach — Waateanews · 2026-05-26
A Government-commissioned cyber security review has found serious security failings inside the Manage My Health platform before one of the largest health data breaches in New Zealand history. The inde… - Privacy commissioner to monitor security upgrades after Manage My Health hack — Rnz.Co.Nz · 2026-05-26
Manage My Health didn't have adequate security controls, the Privacy Commissioner has found. Photo: RNZ / Finn Blackwell Health NZ and its patient portal Manage My Health "failed in their responsibili… - Privacy commissioner to monitor security upgrades after Manage My Health hack — Rnz.Co.Nz · 2026-05-26
Manage My Health didn't have adequate security controls, the Privacy Commissioner has found. Photo: RNZ / Finn Blackwell Health NZ and its patient portal Manage My Health "failed in their responsibili… - #hauora: Privacy Commissioner Slams Health NZ And Manage My Health Over Massive ... — Waateanews · 2026-05-26
The Privacy Commissioner has found both Health New Zealand and Manage My Health failed to properly protect the sensitive health information of nearly 100,000 New Zealanders caught up in last year’s ma… - Damning health data breach reports released — Thespinoff.Co.Nz · 2026-05-26
Three reports on the Manage My Health cyber security breach were released today… so what happened exactly, asks Henry Oliver in today’s excerpt from The Bulletin. Late last year, Manage My Health (MMH… - ManageMyHealth warned before massive data breach – inquiry — 1News.Co.Nz · 2026-05-26
ManageMyHealth was warned security flaws that contributed to the country's largest health data breach, yet failed to act before a hacker stole the records of nearly 100,000 patients, a review has foun… - GPNZ Backs Stronger National Assurance Following Phase One MMH Inquiry Findings — Scoop.Co.Nz · 2026-05-26
News Video | Policy | GPs | Hospitals | Medical | Mental Health | Welfare | General Practice New Zealand (GPNZ) welcomes the shared conclusions of three reports into the Manage My Health (MMH) privacy… - Manage My Health Acknowledges The Serious Nature Of The December 2025 Cyber ... — Scoop.Co.Nz · 2026-05-26
News Video | Policy | GPs | Hospitals | Medical | Mental Health | Welfare | Manage My Health (MMH) acknowledges the serious nature of the December 2025 cyber security incident and the distress and con… - Independent Review Recommends Stronger Cyber Security Across Health System — Business.Scoop.Co.Nz · 2026-05-26
Ministry of Health Chief Medical Officer Dr Joe Bourne says this was a serious breach involving the cyber theft of highly sensitive health information affecting 99,000 people. The Ministry of Health i… - GPNZ Backs Stronger National Assurance Following Phase One MMH Inquiry Findings — Business.Scoop.Co.Nz · 2026-05-26
GPNZ has been working alongside Health NZ to develop practical resources for the sector, including a cyber security checklist and guidance for safe information sharing practices. General Practice New… - Privacy Commissioner Released The Results Of Phase 1 Of Inquiry Into The December ... — Scoop.Co.Nz · 2026-05-26
News Video | Policy | GPs | Hospitals | Medical | Mental Health | Welfare | Privacy Commissioner Michael Webster has today released the results of Phase 1 of his Inquiry into the December 2025 Manage…
Timeline
- 2025-12-01 — Cyber attack on Manage My Health: Hackers accessed sensitive health data using stolen credentials, affecting nearly 100,000 patients.
- 2026-05-26 — Privacy Commissioner releases inquiry findings: The inquiry revealed significant security failures by Manage My Health and Health NZ, leading to compliance notices.
- 2026-05-26 — Reports on breach released: Three independent reports highlighted the lack of security measures and called for systemic improvements in health data protection.
- 2026-05-26 — Manage My Health acknowledges breach: MMH confirmed the breach and outlined steps taken to improve security, including multi-factor authentication.
Related entities
- Data Breach (Attack Type)
- Malware (Attack Type)
- Ransomware (Attack Type)
- Cereus Health Group (Company)
- Health New Zealand (Company)
- Health NZ (Company)
- Manage My Health (Company)
- ManageMyHealth (Company)
- Ministry Of Health (Company)
- Australia (Country)
- New Zealand (Country)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- CWE-287 - Improper Authentication (Cwe)
- CWE-862 - Missing Authorization (Cwe)
- scoop.co.nz (Domain)
- Healthcare (Industry)
- T1041 - Exfiltration Over C2 Channel (Mitre Attack)
- T1078 - Valid Accounts (Mitre Attack)
- T1190 - Exploit Public-Facing Application (Mitre Attack)
- T1567 - Exfiltration Over Web Service (Mitre Attack)
- Manage My Health Portal (Platform)