About 125,000 Kiwi patients have had their details hacked in a cybersecurity ransomware attack.
Thousands of patients have been impacted by a serious cyber security breach on the trans-Tasman health information portal ManageMyHealth.
The company was told that ransomware group Kazu had breached its systems on 30 December 2025. It’s believed approximately 125,000 of its 1.8 million users were affected.
ManageMyHealth is a privately-operated patient portal that is used by some general practices in New Zealand. The breach related to documents uploaded by users, hospital discharge summaries and referrals from GPs to specialists and other providers from 2017-19.
This article originally ran on TMR’s sister site, Health Services Daily. TMR readers can sign up for a discounted subscription.
Patients from GP practices in the Northland area of New Zealand are particularly affected.
It’s believed the group got access through broken access controls. ManageMyHealth chief executive Vino Ramayah told Radio New Zealand that the attackers “came in through the front door using a valid user password”.
The group demanded a US$60,000 ransom, saying on Telegram that they deliberately targeted the healthcare sector as they know how sensitive and valuable the data can be.
NZ Health Minister Simeon Brown has commissioned a review into the breach.
“Patient data is incredibly personal and whether it is held by a public agency or a private company, it must be protected to the highest of standards,” he said.
“I have decided to commission the Ministry of Health to lead a review of the ManageMyHealth and Health New Zealand’s response.
“We must learn from this incident, to avoid any repeat events in the future.”
Related
The company has offices in Melbourne and Chennai, India, although it’s not believed any Australian GPs or patients were caught up in the breach.
However, it serves as a warning. Not just for cybersecurity protocols including enforcing MFA, patching systems and encrypting data but also for how to manage a breach such as this.
Reports suggest that some patients whose health records have been stolen are struggling to get any information. The website last week crashed, and the 0800 number overloaded.
As clinician and Developer of Healthtech solutions in NZ, Nick Loveridge-Easther, wrote on LinkedIn, digital patient portals and shared health records are essential, but they won’t work if people don’t feel safe using the technology.
“Once trust in a health system is broken, it is extraordinarily hard to repair,” he wrote.
“That belief shapes how we design, govern, and deploy technology:
• security is embedded, not retrofitted
• clinical oversight is central, not peripheral
• patient data is treated as taonga, not a commodity
“Privacy and security are not barriers to innovation — they are prerequisites for it.”
