The Manage My Health Cyber Security Incident

The following is a summary of what has been published online regarding the late December 2025 cyber breach of the Manage My Health portal. Some of the sources reported have since taken down their content. We have endeavoured to be as factual as possible and will update this post as new information comes to light.

Summary

In late December 2025, Manage My Health (MMH), New Zealand’s largest patient portal, was subject to a cyber-extortion incident. A threat actor operating under the alias “Kazu” exfiltrated approximately 108 gigabytes of sensitive health-related data, affecting an estimated 126,000 individuals.

The core patient records database remains intact. However, a discrete component of the platform (used to store unstructured health documents) was accessed and its contents removed.

Below we outline how the breach occurred, the nature of the data exposed, and what the incident reveals about the platform’s broader security posture.

How the breach occurred

This was not a sophisticated compromise of MMH’s primary systems. The attackers gained access using valid user credentials and then exploited an access control flaw in an application programming interface (API) associated with the “Health Documents” module.

In effect, the attacker entered the system legitimately but was then able to bypass authorisation checks, allowing access to documents belonging to other users. This is a well-understood class of vulnerability.

The "Health Documents" module

It is important to distinguish between MMH’s core “Health Records” and its “Health Documents” functionality.

The structured health records, such as appointments, medications, and standard GP notes, were not compromised. The breach was confined to the “Health Documents” module, which acts as a file repository for patient-uploaded documents and certain forms of clinical correspondence.

What data was exposed

The exfiltrated material consists of approximately 428,337 individual files. This was not a database extract in tabular form, but a large collection of standalone documents.

Types of information involved

• Clinical correspondence: Including hospital discharge summaries, specialist letters, and laboratory results.

• User-uploaded content: Files uploaded directly by patients, ranging from images of medical conditions to scanned identity documents such as passports.

• Legacy data: Documents relating to former users who had left their GP practice years earlier. MMH has confirmed that patient data is retained unless an account is explicitly closed by the user, even after leaving a practice.

Regional concentration

The impact has been disproportionately felt in Northland. Health NZ estimates that more than 70 percent of affected users (approximately 86,000 people) are based in the region.

This appears to reflect a regional implementation choice: Northland was the only area where Health NZ used MMH to deliver hospital discharge summaries and outpatient letters directly to patients via the platform.

Security infrastructure observations

Independent analysis conducted after the breach identified weaknesses in MMH’s broader security configuration, separate from the specific API vulnerability that enabled the data access.

Email authentication configuration and DNS controls

As of early January 2026, MMH’s Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy places the domain in monitoring mode only and does not actively prevent unauthorised parties from sending emails that appear to come from the managemyhealth.co.nz domain. It was also reported that some of the platform’s basic security protections were not up to current standards.

In simple terms, this meant emails could be more easily faked to look like they came from Manage My Health, increasing the risk of scam or phishing messages reaching patients. In addition, extra safeguards that help ensure people are taken to the real website, rather than a convincing fake, were not switched on, making it easier for attackers to potentially mislead users online, although there is no report that this is what actually happened.

Remediation actions

Manage My Health says it has fixed the specific weakness that allowed the data to be accessed, and that this fix has been checked by independent security experts. The company has also added an extra, optional layer of login protection, which requires users to confirm their identity with a second step, such as a code sent to their phone, when signing in. This is known as multi-factor authentication (MFA) or two-factor authentication (2FA).

The "Kazu" group

The breach has been attributed to a commercially motivated “threat actor” or group using the alias “Kazu.” A ransom demand of approximately NZ$100,000 was issued, with the threat of public data release if payment was not made.

Kazu has been linked to previous international cyber-extortion activity, suggesting opportunistic financial motivation rather than ideological or political intent.

Current responses and practical guidance

Government review

The Minister of Health, Simeon Brown, has commissioned an independent review by the Ministry of Health to examine both the cause of the breach and the adequacy of the protections applied to patient data.

Advice for users

• Confirm your status: Log in directly to the MMH website (desktop computer or laptop recommended rather than phone) and check for an on-screen notification banner.

• Change passwords: Update your MMH password immediately, particularly if it is reused elsewhere.

• Be alert to phishing: Treat unsolicited emails claiming to be from MMH, Health NZ, or your GP with caution. Avoid clicking links and verify communications through official channels.

More information

RNZ has provided good coverage of the incident including a full summary of the timeline and what we know so far.

Many other sources have been taken down since we first looked at them. We’re assuming because there may be concerns that too much coverage of the technical details can only serve to aid the attackers. There could also be concerns about early reports being factually inaccurate or introducing liability for publishers.

Manage My Health is regularly updating on the incident here: News & Updates related to Cyber Breach

Office of the Privacy Commissioner has good information on rights and responsibilities. This site doesn’t like direct links to articles, so go to Office of the Privacy Commissioner and search for Manage My Health.

Other reports

• 1News. (2026, January 8). Manage My Health breach: 50% of affected patients contacted. https://www.1news.co.nz/2026/01/08/manage-my-health-breach-50-of-affected-patients-contacted/ 

• 1News. (2026, January 9). Manage My Health admits to tech issues in wake of cyber breach. https://www.1news.co.nz/2026/01/09/manage-my-health-admits-to-tech-issues-in-wake-of-cyber-breach/ 

• 1News. (2026, January 11). Manage My Health breach: More than 80,000 impacted in Northland. https://www.1news.co.nz/2026/01/11/manage-my-health-breach-more-than-80000-impacted-in-northland/ 

• BankInfoSecurity. (2026, January 5). New Zealand Probes Ransomware Hack of Health Portal. https://www.bankinfosecurity.com/new-zealand-probes-ransomware-hack-health-portal-a-30444 

• Beehive.govt.nz. (2026, January 5). Review commissioned of ManageMyHealth cyber security breach. https://www.beehive.govt.nz/release/review-commissioned-managemyhealth-cyber-security-breach 

• BlackVeil. (2026, January 1). 108GB of Your Medical Records Stolen: What the ManageMyHealth Breach Reveals About NZ Healthcare Security. [Offline as of 17 January) https://blackveil.co.nz/blog/managemyhealth-data-breach-analysis 

• Bright Defense. (2026, January 6). ManageMyHealth Breach Exposes 126K Users. https://brightdefense.com/blog/managemyhealth-breach-exposes-126k-users/ [Offline as of 17 January) 

• High Court of New Zealand. (2026, January 6). Manage My Health Ltd v Unknown Defendants NZHC 2. 

• Kinetics Group. (2026, January 3). Manage My Health Data Breach – What We’ve Heard. https://www.kinetics.co.nz/blog/managemyhealth-data-breach-what-weve-heard/ 

• LawNews. (2026, January 7). High Court issues injunction in Manage My Health cyber-attack case. https://lawnews.nz/misc/high-court-issues-injunction-in-manage-my-health-cyber-attack-case/ 

• Lions Roar News. (2026, January 12). Expert Analysis: Fresh Security Vulnerabilities Discovered in ManageMyHealth Platform. 

• Paubox. (2026, January 5). ManageMyHealth data breach exposes 126,000 patients health records. https://www.paubox.com/blog/managemyhealth-data-breach-exposes-126000-patients-health-records 

• RNZ. (2026, January 15). Cyber-security expert launches petition to Parliament calling for harsher penalties for privacy breaches. https://www.rnz.co.nz/news/political/584086/cyber-security-expert-launches-petition-to-parliament-calling-for-harsher-penalties-for-privacy-breaches 

• RNZ. (2026, January 15). Manage My Health ignored warning about lax security system - cyber-security expert. https://www.rnz.co.nz/news/national/584067/manage-my-health-ignored-warning-about-lax-security-system-cyber-security-expert 

• RNZ. (2026, January 14). NZ's health data hack needs a proper diagnosis - and a transparent treatment plan. https://www.rnz.co.nz/news/national/583989/nz-s-health-data-hack-needs-a-proper-diagnosis-and-a-transparent-treatment-plan 

• RNZ. (2026, January 13). Manage My Health fallout: Will other medical platforms boost security? https://www.rnz.co.nz/news/national/583927/manage-my-health-fallout-will-other-medical-platforms-boost-security 

• RNZ. (2026, January 12). Manage My Health breach: Northland doctors frustrated by inconsistent messaging. https://www.rnz.co.nz/news/national/583793/manage-my-health-breach-northland-doctors-frustrated-by-inconsistent-messaging 

• RNZ. (2026, January 12). Northland particularly hit by Manage My Health data breach. https://www.rnz.co.nz/national/programmes/morningreport/audio/2019019201/northland-particularly-hit-by-manage-my-health-data-breach 

• RNZ. (2026, January 11). More than 80,000 impacted by Manage My Health breach in Northland https://www.rnz.co.nz/news/national/583724/more-than-80-000-impacted-by-manage-my-health-breach-in-northland 

• RNZ. (2026, January 10). Manage My Health breach victims warned to beware bank account theft. https://www.rnz.co.nz/news/business/583651/manage-my-health-breach-victims-warned-to-beware-bank-account-theft 

• RNZ. (2026, January 7). Manage My Health CEO: Trust us 'even though we have dropped the ball'. https://www.rnz.co.nz/news/national/583319/manage-my-health-ceo-trust-us-even-though-we-have-dropped-the-ball 

• RNZ. (2026, January 8). Manage My Health cybersecurity hack: GPs whose patients' data was stolen identified. https://www.rnz.co.nz/news/national/583156/manage-my-health-cybersecurity-hack-gps-whose-patients-data-was-stolen-identified 

• RNZ. (2026, January 1). ManageMyHealth reveals scope of data breach. https://www.rnz.co.nz/news/national/583030/managemyhealth-reveals-scope-of-data-breach 

• The Spinoff. (2026, January 13). New health data breach increases scrutiny on private health IT. https://thespinoff.co.nz/the-bulletin/13-01-2026/new-health-data-breach-increases-scrutiny-on-private-health-it 

• SecurityBrief New Zealand. (2026, January 8). ManageMyHealth fixes code and bolsters security after hack. https://securitybrief.co.nz/story/managemyhealth-fixes-code-and-bolsters-security-after-hack 

• utf9k. (2026, January 4). A recap of the ManageMyHealth data breach so far. https://utf9k.net/blog/managemyhealth-breach-recap/ 

CIO Studio provides independent digital strategy and leadership for New Zealand's health, NGO, and community organisations. If you want to talk to an expert about mitigating your cyber security risk, get in touch for a no obligation conversation.