What New Zealand Businesses Need to Learn from 126,000 Compromised Patient Records
New Zealand’s largest patient information portal confirmed a major cyber security breach on New Year’s Eve, with up to 126,000 users potentially affected. The Manage My Health incident isn’t just a healthcare story. It is a warning for every New Zealand business handling sensitive customer data.
While most Kiwis were celebrating the new year, the Kazu ransomware group was exfiltrating 108 gigabytes of medical data from Manage My Health. This included patient records, test results, prescriptions, appointment histories, and personal information for potentially 6-7% of the platform’s 1.8 million registered users.
The breach highlights three critical cybersecurity failures that New Zealand businesses can’t afford to ignore.
The Breach: What Actually Happened
Manage My Health, the online platform connecting patients with GP practices across New Zealand, identified “unauthorised access” to its systems on December 30, 2025. The platform immediately engaged international forensic consultants and notified the Privacy Commissioner, Police, and Health New Zealand.
The Kazu group claims to have stolen 428,337 files totalling 108GB of data. They’ve set a ransom demand of $60,000 USD with a deadline of January 15, 2026, threatening to release the complete dataset if payment isn’t received.
CEO Vino Ramayah stated the incident has been contained and investigations are underway. Affected users are being notified directly, though the company estimates this represents between 108,000 and 126,000 individuals.
Health Minister Simeon Brown described the breach as “concerning” while confirming Health New Zealand’s own systems remain unaffected, as Manage My Health operates separate infrastructure.
Three Critical Failures Every Business Should Note
1. Communication Breakdown During Crisis
Perhaps the most damaging aspect wasn’t the breach itself—it was how stakeholders learned about it.
Dr Luke Bradford, president of the College of GPs, told media: “It’s terribly disappointing. They’re an absolutely key tool that we use for patients… if their data’s not safe, then their very personal information is not safe.”
The problem was that GPs learned about the breach from news articles, not from Manage My Health. Doctors—the platform’s primary professional users—found out from media reports while their practices were closed for the holiday period.
Business lesson: Your incident response plan must identify primary stakeholders and notify them before they read about it in the news. When doctors who rely on your platform daily learn about security breaches from journalists, trust erodes immediately.
2. The Holiday Timing Vulnerability
The breach occurred during the extended Christmas/New Year period when most GP practices were closed for four days. This wasn’t coincidental. Cyber criminals specifically target holiday periods when security teams are operating with reduced staff and response capabilities are compromised.
Business lesson: Cybersecurity doesn’t take holidays. Attackers know this and exploit it systematically. Your monitoring and response capabilities need to maintain effectiveness during holiday periods, not scale back when your business is most vulnerable.
3. Scale Matters—But So Does Preparation
Cybersecurity expert Daniel Ayers noted this breach is “catastrophic on the New Zealand scale,” potentially affecting 30 times more people than the 2021 Waikato DHB breach (4,000 people).
With 1.8 million registered users, Manage My Health is New Zealand’s largest patient information portal. But size didn’t protect them, and the ransom demand of just $60,000 seems surprisingly low given the data’s sensitivity and the number of affected users.
Business lesson: Whether you’re managing 1,800 customer records or 1.8 million, the fundamental security principles remain the same. Systematic protection, with current software patches and tools, consistent monitoring, and verified backup procedures aren’t optional.
What This Means for Your Business
If your organisation handles sensitive customer data such as financial records, personal information, proprietary business details, or client communications, then Manage My Health breach offers three immediate lessons:
Your stakeholders deserve direct communication. Don’t let customers, partners, or professional users learn about security incidents from media reports. Incident response plans must include immediate stakeholder notification protocols. Kinetics can help you prepare these plans, which hopefully will never be needed.
Holiday vulnerabilities are real. December through January represents New Zealand’s highest-risk period for cyber attacks. Reduced staffing, delayed responses, and slower decision-making create opportunities attackers systematically exploit.
Containment isn’t resolution. Manage My Health contained the breach quickly and engaged forensic consultants. These are correct immediate responses, but the real test comes in transparency, stakeholder communication, and demonstrable security improvements that restore trust.
Sunday Update:
Manage My Health provided crucial clarification on Friday, January 3, significantly narrowing the scope of the breach. Independent forensic specialists confirmed that only one module—”Health Documents”—was compromised, not the entire application. Preliminary investigation reveals no evidence that the core patient database was accessed, no data modification or destruction occurred, and user credentials remain secure. The company announced it has the complete list of affected individuals and is commencing legal action to protect client data. However, the situation remains urgent: cybersecurity analysts report that Kazu issued a 48-hour ultimatum on January 3, effectively accelerating their deadline from January 15 to approximately today, January 5. Manage My Health has confirmed the system environment is now secure and continues working with the Privacy Commissioner, Police, and Health New Zealand to finalize forensic verification before notifying all affected parties.
Monday Update: Government Review Ordered, High Court Injunction Granted:
The Manage My Health breach escalated significantly on Monday, January 5, as Health Minister Simeon Brown ordered a Ministry of Health review into the incident and the company’s response. The review, set to commence by January 30, will assess the cause of the breach, evaluate the adequacy of data protections, and recommend improvements to prevent similar incidents. Brown described the breach as “pretty unacceptable” and a “big wake-up call,” noting that New Zealanders have a right to expect their data is held to the highest standards, whether by public or private entities.
Manage My Health secured a High Court injunction prohibiting third parties from accessing or sharing any stolen data, and established an international monitoring team to issue immediate takedown notices if information appears on data leak websites. The company issued its first direct apology, acknowledging “we could have done a better job at communication” while defending the priority given to securing data and verifying accuracy before public statements.
The urgency intensified as the Kazu group’s modified deadline approached—Tuesday, January 6 at 5am—threatening to release all stolen data if the $60,000 ransom wasn’t paid. Brown stated firmly that the government recommends against payment: “They are criminals. They are trying to use people’s most personal information to extort money from this company.”
Disturbing details emerged about the stolen data’s sensitivity. IT consultant Cody Cooper, who examined samples before they were taken down, confirmed the files include passport scans, psychiatric assessments, and nude medical photographs. The breach is now being described as potentially New Zealand’s worst cybersecurity incident, significantly larger than the 2021 Waikato DHB breach that affected 4,000 people. Manage My Health began contacting affected general practices on Monday, with direct patient notifications expected throughout the week—though the company still cannot specify exactly when all 126,000 affected individuals will be informed.
Tuesday Update: Ransom Deadline Passes, Patient Notifications Begin:
The Kazu group’s ransom deadline passed early Tuesday morning at approximately 5:37am, and as of midday Tuesday, the hackers have not released additional data beyond the initial samples. However, uncertainty about whether the data will still be leaked continues to fuel patient anxiety.
Manage My Health began the formal notification process on Monday, January 6, distributing communications to the first group of affected and unaffected general practices on January 5. The company confirmed that features have gone live on the ManageMyHealth app allowing practices to view secure lists of enrolled patients affected by the breach. An 0800 helpline is being established where impacted patients can access advice and support, though the number has not yet been publicly released. GP practices report receiving “a lot of queries” from anxious patients who still don’t know whether their data was compromised. General Practice Owners’ Association chairperson Angus Chambers told RNZ that “there’s people who have had their privacy breached, and they don’t know either.” He emphasized that direct patient notification remains Manage My Health’s responsibility, though the slow pace of communication continues to frustrate both patients and healthcare providers.
The company is now working through the Privacy Act notification process for each affected individual in conjunction with Health New Zealand and the Office of the Privacy Commissioner. However, ManageMyHealth still cannot specify when all 126,000 affected individuals will be informed, stating only that notifications will continue “throughout the course of this week.”
Wednesday Update: Direct Patient Notifications Begin Today:
ManageMyHealth announced yesterday that it will begin notifying affected patients directly within the next 24 hours, with notifications sent initially via email to registered account addresses. The company expects to complete the notification process by early next week. In preparation, ManageMyHealth temporarily redirected its mobile app to the web application to ensure consistent notification information across platforms.
The company also issued a warning that third parties should not engage directly with the criminal hacker groups, citing Police advice that doing so “is not in the best interest of those impacted by this incident and can have un-anticipated consequences.” ManageMyHealth confirmed it’s establishing an advisory board to provide additional clinical and technical support in the aftermath of the attack. The New Zealand Herald revealed that ManageMyHealth doesn’t have a full board—CEO Vino Ramayah is effectively the sole owner and one of only two directors—raising questions about governance oversight for a platform handling 1.85 million Kiwis’ medical data.
Immediate Actions for Your Business
If you’re responsible for protecting customer or client data, consider these questions:
Incident response: Could your team identify, contain, and notify stakeholders of a security breach within 48 hours—including during the holiday period?
Standards Compliance: What cyber-security frameworks are you following? How can you demonstrate to stakeholders that you are taking a proactive approach to protect data held on your platform? This includes authentication, encryption, data segmentation, backup verification, platform and tool updates to minimise known vulnerabilities and so forth?
Communication protocols: Do your incident response plans include immediate notification procedures for key stakeholders before they learn about incidents from external sources?
Monitoring consistency: Do your cybersecurity monitoring and response capabilities maintain effectiveness during holiday periods and staff absences?
The Neighbourly Breach: New Zealand’s Holiday Vulnerability Window
The ManageMyHealth incident wasn’t New Zealand’s only major data breach over the holiday period.
Neighbourly, the Stuff-owned community social media platform, was also compromised, with operators learning of the breach on New Year’s Day. The platform immediately took the site offline while investigating, confirming on January 3 that registered users’ names, email addresses, GPS coordinates, public posts and private messages were accessed—though passwords remained secure. Dark web monitoring services report that over 213 million lines of Neighbourly data were offered for sale on cybercrime marketplaces over Christmas. The platform has since restored service and is seeking a court injunction to prevent use of the compromised data. The timing is significant: two major New Zealand platforms breached within days of each other, both during the extended holiday period when monitoring resources are stretched and response capabilities are reduced. This pattern reinforces that the Christmas-New Year window represents New Zealand’s highest-risk period for cyber attacks.
The Kinetics Approach to Data Protection
At Kinetics, our KARE Foundation service builds systematic cybersecurity protection that doesn’t depend on perfect human vigilance or convenient timing. KARE Foundation Cyber-protection is built around trusted standards with SMB1001 reporting included in monthly reports and other GRC standards available as required.
Multi-layered protection includes endpoint detection and response (EDR), continuous monitoring for unusual authentication patterns (like the attacks we detected over Christmas), verified backup procedures, and documented incident response protocols that maintain effectiveness regardless of holidays or staffing levels.
The difference isn’t just technology. It’s systematic processes that ensure critical security tasks happen consistently, even when other priorities compete for attention or key staff are unavailable.
For businesses handling sensitive customer data, this systematic approach provides both protection and accountability. You’re not just protected. You have documented evidence of the protection measures in place.
What Affected Users Should Do Now
If you’ve used Manage My Health, take these immediate steps:
Change your password immediately—both on Manage My Health and any other site where you’ve reused that password. Password reuse is one of the primary ways single breaches cascade into multiple compromised accounts.
Watch for phishing attempts. The attackers have your email address and know you’re a Manage My Health user. Expect targeted phishing emails claiming to be from Manage My Health, your GP, or Health NZ. Don’t click links in emails—go directly to websites by typing the URL.
Monitor for identity theft. Medical identity theft is real and expensive. Watch for unfamiliar medical bills, insurance claims, or credit inquiries related to healthcare services you didn’t receive.
Be skeptical of urgent messages. Manage My Health has warned that legitimate communications will never ask for passwords or one-time authentication codes. If you’re unsure whether communication is genuine, don’t respond—contact the organization directly through their official website.
The Bigger Picture
The Manage My Health breach will likely prove to be one of New Zealand’s largest healthcare data breaches. But its real significance isn’t the numbers. It is a reminder that cybersecurity failures affect real people with real consequences.
Medical records, test results, and health histories are among the most sensitive personal information anyone possesses. When that data is compromised, it’s not just statistics. There will be individuals facing potential identity theft, privacy violations, and erosion of trust in digital healthcare tools.
For businesses across all sectors, the lesson is clear: data protection isn’t optional, incident response requires preparation not improvisation, and trust, once broken, is extraordinarily difficult to rebuild.