Back

Massive Data Breach Exposes Health Information of Nearly 100,000 New Zealanders

Severity: High (Score: 69.0)

Sources: 1News.Co.Nz, Thespinoff.Co.Nz, Scoop.Co.Nz, Business.Scoop.Co.Nz, Nzdoctor.Co.Nz

Published: 2026-05-26 · Updated: 2026-05-27

Keywords: health, manage, privacy, commissioner, security, monitor, upgrades

Summary

In December 2025, the Manage My Health platform suffered a significant cyber attack, compromising sensitive health data of approximately 100,000 New Zealanders. The breach was attributed to inadequate security safeguards, including poor monitoring and risk management practices. Most affected individuals were located in Northland, with many being Māori, due to a unique data-sharing arrangement between Health NZ and Manage My Health. The Privacy Commissioner found both organizations breached the Privacy Act and intends to issue compliance notices requiring improvements. The breach was described as preventable, with researchers noting that the attack was neither sophisticated nor uncommon. Reports indicate that the stolen data included clinical notes and personal documents, raising concerns about potential identity theft and blackmail. The Ministry of Health is now implementing stronger cybersecurity measures across the health sector in response to the incident. Key Points: • Nearly 100,000 New Zealanders' health data was compromised in a major breach. • The attack exploited weak security practices and a unique data-sharing arrangement. • The Privacy Commissioner plans to enforce compliance notices to improve security measures.

Detailed Analysis

**Impact** Nearly 100,000 New Zealanders had sensitive health information exposed in the December 2025 breach, with approximately 91% of affected patients located in Northland, many of whom are Māori. The data stolen included medical records, clinical notes, hospital discharge information, intimate imagery, and scanned identification documents. The breach caused significant distress and anxiety among patients and impacted healthcare providers and the wider community. The incident revealed systemic weaknesses in Health NZ and Manage My Health’s security practices, affecting the health sector’s trust and operational integrity. **Technical Details** The attacker, using the alias "Kazu," exploited compromised user credentials obtained via malware to access the Manage My Health patient portal. The breach involved exploiting vulnerabilities in the portal’s API, allowing unauthorized bulk extraction of patient documents. No specific CVEs or malware names were detailed in the reports. The attack chain included credential compromise, unauthorized access, and data exfiltration stages, facilitated by inadequate security controls such as lack of multi-factor authentication and insufficient monitoring to detect abnormal data access. **Recommended Response** Implement mandatory multi-factor authentication and strengthen access controls across patient portals. Deploy real-time monitoring and alerting systems to detect unusual data access patterns promptly. Conduct independent security testing and penetration testing regularly, focusing on API security and third-party vendor risk management. Establish centralized assurance and verification processes for all health sector suppliers handling sensitive data, and enforce compliance notices requiring proof of effective security improvements. Monitor dark web and threat actor communications for potential data leaks.

Source articles (16)

  • #hauora: Cyber Review Reveals Major Failures Behind Massive Health Data Breach — Waateanews · 2026-05-26
    A Government-commissioned cyber security review has found serious security failings inside the Manage My Health platform before one of the largest health data breaches in New Zealand history. The inde…
  • Privacy commissioner to monitor security upgrades after Manage My Health hack — Rnz.Co.Nz · 2026-05-26
    Manage My Health didn't have adequate security controls, the Privacy Commissioner has found. Photo: RNZ / Finn Blackwell Health NZ and its patient portal Manage My Health "failed in their responsibili…
  • Privacy commissioner to monitor security upgrades after Manage My Health hack — Rnz.Co.Nz · 2026-05-26
    Manage My Health didn't have adequate security controls, the Privacy Commissioner has found. Photo: RNZ / Finn Blackwell Health NZ and its patient portal Manage My Health "failed in their responsibili…
  • #hauora: Privacy Commissioner Slams Health NZ And Manage My Health Over Massive ... — Waateanews · 2026-05-26
    The Privacy Commissioner has found both Health New Zealand and Manage My Health failed to properly protect the sensitive health information of nearly 100,000 New Zealanders caught up in last year’s ma…
  • Damning health data breach reports released — Thespinoff.Co.Nz · 2026-05-26
    Three reports on the Manage My Health cyber security breach were released today… so what happened exactly, asks Henry Oliver in today’s excerpt from The Bulletin. Late last year, Manage My Health (MMH…
  • ManageMyHealth warned before massive data breach – inquiry — 1News.Co.Nz · 2026-05-26
    ManageMyHealth was warned security flaws that contributed to the country's largest health data breach, yet failed to act before a hacker stole the records of nearly 100,000 patients, a review has foun…
  • GPNZ Backs Stronger National Assurance Following Phase One MMH Inquiry Findings — Scoop.Co.Nz · 2026-05-26
    News Video | Policy | GPs | Hospitals | Medical | Mental Health | Welfare | General Practice New Zealand (GPNZ) welcomes the shared conclusions of three reports into the Manage My Health (MMH) privacy…
  • Manage My Health Acknowledges The Serious Nature Of The December 2025 Cyber ... — Scoop.Co.Nz · 2026-05-26
    News Video | Policy | GPs | Hospitals | Medical | Mental Health | Welfare | Manage My Health (MMH) acknowledges the serious nature of the December 2025 cyber security incident and the distress and con…
  • Independent Review Recommends Stronger Cyber Security Across Health System — Business.Scoop.Co.Nz · 2026-05-26
    Ministry of Health Chief Medical Officer Dr Joe Bourne says this was a serious breach involving the cyber theft of highly sensitive health information affecting 99,000 people. The Ministry of Health i…
  • GPNZ Backs Stronger National Assurance Following Phase One MMH Inquiry Findings — Business.Scoop.Co.Nz · 2026-05-26
    GPNZ has been working alongside Health NZ to develop practical resources for the sector, including a cyber security checklist and guidance for safe information sharing practices. General Practice New…
  • Privacy Commissioner Released The Results Of Phase 1 Of Inquiry Into The December ... — Scoop.Co.Nz · 2026-05-26
    News Video | Policy | GPs | Hospitals | Medical | Mental Health | Welfare | Privacy Commissioner Michael Webster has today released the results of Phase 1 of his Inquiry into the December 2025 Manage…
  • Manage My Health Acknowledges The Serious Nature Of The December 2025 Cyber ... — Business.Scoop.Co.Nz · 2026-05-26
    MMH has supported New Zealands healthcare sector for more than 18 years and remains committed to protecting patient information and supporting safe digital access to care. Manage My Health (MMH) ackno…
  • Privacy Commissioner finds Manage My Health and Health NZ breached Privacy Act — Nzdoctor.Co.Nz · 2026-05-27
    Privacy Commissioner Michael Webster has today released the results of Phase 1 of his Inquiry into the December 2025 Manage My Health cyber incident in which the sensitive health information of New Ze…
  • Privacy Commissioner Released The Results Of Phase 1 Of Inquiry Into The December ... — Business.Scoop.Co.Nz · 2026-05-27
    The Inquiry has found both Manage My Health and Health NZ failed in their responsibilities to have reasonable security safeguards in place to protect patient information. Privacy Commissioner Michael…
  • Independent review recommends stronger cyber security across health system — Nzdoctor.Co.Nz · 2026-05-27
    The Ministry of Health is strengthening cyber security across the health system following an independent review into the Manage My Health (MMH) cyber incident. This includes new work to ensure key thi…
  • Manage My Health Hack: How can you be sure your data is safe? — Rnz.Co.Nz · 2026-05-27
    Three reports have been released today analysing the breach of Health New Zealand's patient portal Manage My Health. In December, hundreds of thousands of medical files were stolen in a cyber-attack w…

Timeline

  • 2025-12-01 — Cyber attack on Manage My Health: Hackers accessed sensitive health data, leading to the theft of records from nearly 100,000 patients.
  • 2026-05-26 — Privacy Commissioner releases Phase 1 findings: The inquiry found that Manage My Health and Health NZ breached the Privacy Act due to inadequate security safeguards.
  • 2026-05-27 — Ministry of Health announces cybersecurity reforms: In response to the breach, the Ministry is implementing stronger cybersecurity measures and independent assessments for third-party suppliers.

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Ransomware (Attack Type)
  • Cereus Health Group (Company)
  • Health New Zealand (Company)
  • Health NZ (Company)
  • Manage My Health (Company)
  • ManageMyHealth (Company)
  • Ministry Of Health (Company)
  • Australia (Country)
  • New Zealand (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • scoop.co.nz (Domain)
  • Healthcare (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Manage My Health Portal (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed