TL;DR: A ransomware group called "Kazu" breached ManageMyHealth, New Zealand's largest patient portal. Between 108,000 and 126,000 patients had their medical documents stolen. The attackers posted samples online and demand US$60,000 by January 15, 2026, or they'll leak 400,000 files. The breach started December 30, 2025. Patient notifications went out today, January 8. If you used ManageMyHealth with a Northland-region GP, assume your data is compromised.
Your Medical Records Are Now Ransom Material
ManageMyHealth detected unauthorized access on December 30, 2025. Attackers used stolen credentials to access patient data: a "password accessed intrusion" according to the company. They didn't need sophisticated hacking tools. Someone's login worked, and they walked right in.
The ransomware group Kazu claimed responsibility on January 1, 2026. They posted samples of stolen data online as proof. Clinical discharge summaries. Referral records. Documents some patients uploaded themselves. Medical histories going back six to eight years.
The demand: US$60,000 (about NZ$103,368) by January 15, 2026. Pay up or 400,000 files get dumped publicly.
ManageMyHealth serves 1.8 million registered users across New Zealand. The breach hit 6-7% of them. That's not a small number. 126,000 people now have their medical information in criminal hands.
Who Got Hit
The attack concentrated on patients using GP practices in the Northland region. Approximately 45 Northland-based practices were affected. Another 355 practices across New Zealand that had sent referrals through the system also had data exposed.
ManageMyHealth says only the "My Health Documents" module was breached. That's where patients upload their own documents, and where clinical discharge summaries and referral records get stored. The company claims the core "Health Records" module (the part with live GP data, appointments, and prescriptions) wasn't touched.
Cold comfort if your cancer diagnosis letter is now on a hacker's server.
The stolen documents include:
- Clinical discharge summaries from hospital visits
- Historical referral records between healthcare providers
- Documents patients uploaded themselves (test results, specialist letters, health records)
- Files dating back six to eight years, long enough to include conditions you might not want public
A Week of Silence
The timeline matters here:
- December 30, 2025: ManageMyHealth detects the breach
- January 1, 2026: Company goes public with the incident
- January 1, 2026: Kazu claims responsibility, posts samples, sets ransom deadline
- January 8, 2026: Affected patients finally receive direct notifications
- January 15, 2026: Ransom deadline, data dump threatened
Nine days between detection and patient notification. Nine days where victims didn't know their medical records were being held hostage. Nine days to worry about identity theft, insurance discrimination, or personal embarrassment, without even knowing the threat existed.
New Zealand's privacy laws require "prompt" breach notification. Nine days isn't prompt.
Government Orders Review
Health Minister Simeon Brown commissioned a Ministry of Health review of the incident. The review will examine what happened, whether ManageMyHealth had adequate security, and whether Health New Zealand's oversight was sufficient.
That's government-speak for "someone screwed up and we need to figure out who."
New Zealand Police and the Privacy Commissioner are investigating. ManageMyHealth obtained High Court injunctions to prevent distribution of the stolen data, a legal move that's largely symbolic. Hackers operating from overseas don't care about New Zealand court orders.
The New Zealand government has advised ManageMyHealth not to pay the ransom. Standard policy: paying ransoms encourages more attacks. But that's easy to say when it's not your colonoscopy results being threatened with publication.
Healthcare Data Is Different
Your Netflix password leaks, you change it and move on. Your medical records leak, and the damage follows you forever.
Medical data creates unique risks:
Insurance Discrimination
Pre-existing conditions, mental health treatment, genetic test results: all ammunition for insurers to deny coverage or raise premiums. Technically illegal in many jurisdictions. Practically happens constantly.
Employment Consequences
Employers can't legally ask about health conditions. But if your medical records are public, they don't have to ask. A Google search reveals your depression diagnosis before the interview even starts.
Personal Blackmail
STI test results. Abortion records. Mental health treatment. Substance abuse therapy. Attackers use this information for individual extortion, not just organizational ransoms.
Identity Theft
Medical records contain names, dates of birth, addresses, and sometimes government ID numbers. Perfect building blocks for opening fraudulent accounts or filing fake tax returns.
Healthcare systems are juicy targets for exactly this reason. The data is valuable, the systems are often underfunded and outdated, and the organizations are slow to respond. Attackers know hospitals and clinics will pay to avoid patient lawsuits. Even when they don't pay, the stolen data sells well on dark web markets.
What You Can Do
If You're Affected
Check your email for notifications from ManageMyHealth. Change your portal password immediately. Review what documents you uploaded to the platform. Consider freezing your credit if personal identification documents were included.
Monitor Your Identity
Watch for signs of identity theft: unexpected credit inquiries, medical bills for services you didn't receive, letters from debt collectors. Set up fraud alerts with credit bureaus. Check bank statements for unauthorized transactions.
Be Skeptical of Contacts
Attackers with your medical data may impersonate healthcare providers. Verify any calls or emails claiming to be from your GP or hospital. Don't click links in unexpected messages. Call the provider directly using a number you find yourself.
Document Everything
If you suffer damages from this breach (identity theft, insurance issues, lost employment) document it. Keep records. You may have legal recourse against ManageMyHealth for inadequate security or delayed notification.
Healthcare Security Is Broken
This breach isn't surprising. Healthcare organizations worldwide run on tight budgets with legacy systems and minimal security staff. Patient portals proliferate because they're convenient, not because they're secure.
The "password accessed intrusion" description is telling. Someone's credentials were compromised. Maybe phishing. Maybe credential reuse from another breach. Maybe an insider. Whatever the cause, a single compromised password unlocked 126,000 patient records.
Basic security measures could have prevented this:
- Multi-factor authentication on administrative accounts
- Anomaly detection for unusual access patterns
- Encryption of stored documents (even if accessed, unreadable without keys)
- Network segmentation to limit what one compromised account can access
- Regular security audits of third-party patient portal software
We don't know which of these ManageMyHealth had or lacked. The Ministry of Health review might tell us. But the result speaks for itself: one password, 400,000 files, 126,000 patients exposed.
The Clock Is Ticking
January 15, 2026. One week from today. That's when Kazu says the data goes public if they don't get paid.
ManageMyHealth likely won't pay. The government is advising against it. Insurance might not cover ransoms. And paying doesn't guarantee the attackers delete the data. They often sell it anyway or come back for more.
If the data dumps, expect it to appear on dark web forums first, then gradually surface on mainstream sites. Security researchers will comb through it. So will identity thieves. So will anyone curious about their neighbor's health history.
January 15 isn't the end. It's when the long-term damage begins.
References
- 1News - ManageMyHealth breach: Patients begin receiving notifications (January 8, 2026)
- ManageMyHealth - Security Incident Update (January 2026)
- Infosecurity Magazine - ManageMyHealth Ransomware Attack Exposes 126,000 Patient Records (January 2026)
- IT News - NZ patient portal breach affects 126,000 users (January 2026)
- NZ Herald - ManageMyHealth hackers demand $60,000 ransom (January 2026)
- RNZ - Government advises against paying ManageMyHealth ransom (January 2026)
- Beehive.govt.nz - Health Minister orders review of ManageMyHealth breach (January 2026)