What New Zealand Businesses Need to Learn from 126,000 Compromised Patient Records
New Zealand’s largest patient information portal confirmed a major cyber security breach on New Year’s Eve, with up to 126,000 users potentially affected. The ManageMyHealth incident isn’t just a healthcare story. It is a warning for every New Zealand business handling sensitive customer data.
While most Kiwis were celebrating the new year, the Kazu ransomware group was exfiltrating 108 gigabytes of medical data from ManageMyHealth. Tjis included patient records, test results, prescriptions, appointment histories, and personal information for potentially 6-7% of the platform’s 1.8 million registered users.
The breach highlights three critical cybersecurity failures that New Zealand businesses can’t afford to ignore.
The Breach: What Actually Happened
ManageMyHealth, the online platform connecting patients with GP practices across New Zealand, identified “unauthorised access” to its systems on December 30, 2025. The platform immediately engaged international forensic consultants and notified the Privacy Commissioner, Police, and Health New Zealand.
The Kazu group claims to have stolen 428,337 files totalling 108GB of data. They’ve set a ransom demand of $60,000 USD with a deadline of January 15, 2026, threatening to release the complete dataset if payment isn’t received.
CEO Vino Ramayah stated the incident has been contained and investigations are underway. Affected users are being notified directly, though the company estimates this represents between 108,000 and 126,000 individuals.
Health Minister Simeon Brown described the breach as “concerning” while confirming Health New Zealand’s own systems remain unaffected, as ManageMyHealth operates separate infrastructure.
Update:
ManageMyHealth provided crucial clarification on Friday, January 3, significantly narrowing the scope of the breach. Independent forensic specialists confirmed that only one module—”Health Documents”—was compromised, not the entire application. Preliminary investigation reveals no evidence that the core patient database was accessed, no data modification or destruction occurred, and user credentials remain secure. The company announced it has the complete list of affected individuals and is commencing legal action to protect client data. However, the situation remains urgent: cybersecurity analysts report that Kazu issued a 48-hour ultimatum on January 3, effectively accelerating their deadline from January 15 to approximately today, January 5. ManageMyHealth has confirmed the system environment is now secure and continues working with the Privacy Commissioner, Police, and Health New Zealand to finalize forensic verification before notifying all affected parties.
Three Critical Failures Every Business Should Note
1. Communication Breakdown During Crisis
Perhaps the most damaging aspect wasn’t the breach itself—it was how stakeholders learned about it.
Dr Luke Bradford, president of the College of GPs, told media: “It’s terribly disappointing. They’re an absolutely key tool that we use for patients… if their data’s not safe, then their very personal information is not safe.”
The problem was that GPs learned about the breach from news articles, not from ManageMyHealth. Doctors—the platform’s primary professional users—found out from media reports while their practices were closed for the holiday period.
Business lesson: Your incident response plan must identify primary stakeholders and notify them before they read about it in the news. When doctors who rely on your platform daily learn about security breaches from journalists, trust erodes immediately.
2. The Holiday Timing Vulnerability
The breach occurred during the extended Christmas/New Year period when most GP practices were closed for four days. This wasn’t coincidental. Cyber criminals specifically target holiday periods when security teams are operating with reduced staff and response capabilities are compromised.
Business lesson: Cybersecurity doesn’t take holidays. Attackers know this and exploit it systematically. Your monitoring and response capabilities need to maintain effectiveness during holiday periods, not scale back when your business is most vulnerable.
3. Scale Matters—But So Does Preparation
Cybersecurity expert Daniel Ayers noted this breach is “catastrophic on the New Zealand scale,” potentially affecting 30 times more people than the 2021 Waikato DHB breach (4,000 people).
With 1.8 million registered users, ManageMyHealth is New Zealand’s largest patient information portal. But size didn’t protect them, and the ransom demand of just $60,000 seems surprisingly low given the data’s sensitivity and the number of affected users.
Business lesson: Whether you’re managing 1,800 customer records or 1.8 million, the fundamental security principles remain the same. Systematic protection, with current software patches and tools, consistent monitoring, and verified backup procedures aren’t optional.
What This Means for Your Business
If your organisation handles sensitive customer data such as financial records, personal information, proprietary business details, or client communications, then ManageMyHealth breach offers three immediate lessons:
Your stakeholders deserve direct communication. Don’t let customers, partners, or professional users learn about security incidents from media reports. Incident response plans must include immediate stakeholder notification protocols. Kinetics can help you prepare these plans, which hopefully will never be needed.
Holiday vulnerabilities are real. December through January represents New Zealand’s highest-risk period for cyber attacks. Reduced staffing, delayed responses, and slower decision-making create opportunities attackers systematically exploit.
Containment isn’t resolution. ManageMyHealth contained the breach quickly and engaged forensic consultants. These are correct immediate responses, but the real test comes in transparency, stakeholder communication, and demonstrable security improvements that restore trust.
The Neighbourly Breach: New Zealand’s Holiday Vulnerability Window
The ManageMyHealth incident wasn’t New Zealand’s only major data breach over the holiday period.
Neighbourly, the Stuff-owned community social media platform, was also compromised, with operators learning of the breach on New Year’s Day. The platform immediately took the site offline while investigating, confirming on January 3 that registered users’ names, email addresses, GPS coordinates, public posts and private messages were accessed—though passwords remained secure. Dark web monitoring services report that over 213 million lines of Neighbourly data were offered for sale on cybercrime marketplaces over Christmas. The platform has since restored service and is seeking a court injunction to prevent use of the compromised data. The timing is significant: two major New Zealand platforms breached within days of each other, both during the extended holiday period when monitoring resources are stretched and response capabilities are reduced. This pattern reinforces that the Christmas-New Year window represents New Zealand’s highest-risk period for cyber attacks.
Immediate Actions for Your Business
If you’re responsible for protecting customer or client data, consider these questions:
Incident response: Could your team identify, contain, and notify stakeholders of a security breach within 48 hours—including during the holiday period?
Standards Compliance: What cyber-security frameworks are you following? How can you demonstrate to stakeholders that you are taking a proactive approach to protect data held on your platform? This includes authentication, encryption, data segmentation, backup verification, platform and tool updates to minimise known vulnerabilities and so forth?
Communication protocols: Do your incident response plans include immediate notification procedures for key stakeholders before they learn about incidents from external sources?
Monitoring consistency: Do your cybersecurity monitoring and response capabilities maintain effectiveness during holiday periods and staff absences?
The Kinetics Approach to Data Protection
At Kinetics, our KARE Foundation service builds systematic cybersecurity protection that doesn’t depend on perfect human vigilance or convenient timing. KARE Foundation Cyber-protection is built around trusted standards with SMB1001 reporting included in monthly reports and other GRC standards available as required.
Multi-layered protection includes endpoint detection and response (EDR), continuous monitoring for unusual authentication patterns (like the attacks we detected over Christmas), verified backup procedures, and documented incident response protocols that maintain effectiveness regardless of holidays or staffing levels.
The difference isn’t just technology. It’s systematic processes that ensure critical security tasks happen consistently, even when other priorities compete for attention or key staff are unavailable.
For businesses handling sensitive customer data, this systematic approach provides both protection and accountability. You’re not just protected. You have documented evidence of the protection measures in place.
What Affected Users Should Do Now
If you’ve used ManageMyHealth, take these immediate steps:
Change your password immediately—both on ManageMyHealth and any other site where you’ve reused that password. Password reuse is one of the primary ways single breaches cascade into multiple compromised accounts.
Watch for phishing attempts. The attackers have your email address and know you’re a ManageMyHealth user. Expect targeted phishing emails claiming to be from ManageMyHealth, your GP, or Health NZ. Don’t click links in emails—go directly to websites by typing the URL.
Monitor for identity theft. Medical identity theft is real and expensive. Watch for unfamiliar medical bills, insurance claims, or credit inquiries related to healthcare services you didn’t receive.
Be skeptical of urgent messages. ManageMyHealth has warned that legitimate communications will never ask for passwords or one-time authentication codes. If you’re unsure whether communication is genuine, don’t respond—contact the organization directly through their official website.
The Bigger Picture
The ManageMyHealth breach will likely prove to be one of New Zealand’s largest healthcare data breaches. But its real significance isn’t the numbers. It is the reminder that cybersecurity failures affect real people with real consequences.
Medical records, test results, and health histories are among the most sensitive personal information anyone possesses. When that data is compromised, it’s not just statistics. There will be individuals facing potential identity theft, privacy violations, and erosion of trust in digital healthcare tools.
For businesses across all sectors, the lesson is clear: data protection isn’t optional, incident response requires preparation not improvisation, and trust, once broken, is extraordinarily difficult to rebuild.