managemyhealth breach

Table of Contents

    Tamzid | Cybersecurity Writer

    Published:

    January 6, 2026

    Updated:

    January 6, 2026

    ManageMyHealth Breach Exposes 126K Users

    What Happened

    Manage My Health, a widely used New Zealand patient portal, said an unauthorized party accessed a portion of its platform and may have viewed health documents linked to roughly 6% to 7% of its registered user base. The company has put the potential impact at 108,000 to 126,000 people out of about 1.8 million registered users.

    The company said the incident was limited to the “My Health Documents” or “Health Documents” module, and it has reported no evidence so far of access to the core patient database, no access to user credentials, and no evidence of data destruction or modification inside its systems. I used AI to help summarize and organize confirmed reporting and official statements, and I flagged items that remain unverified. 

    ManageMyHealth Data Breach
    ManageMyHealth Data Breach

    Timeline: From First Access To Latest Update

    1. Dec 30, 2025 (Incident identified)

    Manage My Health said it learned of the incident after a partner notified it. The company said it secured the platform, stopped further unauthorized access, and preserved evidence. It also brought in independent cyber and forensic specialists.

    2. Jan 1, 2026 (Public disclosure and early impact estimate)

    The company posted a public holding statement and began issuing follow-up updates as forensic work progressed. Early estimates placed potential exposure at 6% to 7% of registered users, translating to roughly 108,000 to 126,000 people.

    3. Jan 3, 2026 (Scope confirmation and remediation)

    The company and RNZ reported that only the Health Documents portion had been accessed. Manage My Health said it had a complete list of people whose documents may have been accessed. It also said it identified and closed “specific gaps” that allowed access, and external experts tested the fix.

    4. Jan 6, 2026 (Notifications, legal action, and support measures)

    Manage My Health said it identified all patients whose documents may have been accessed and notified an initial group of general practices. It started the Privacy Act notification process with Health New Zealand and the Office of the Privacy Commissioner. It also obtained interim High Court injunction orders intended to stop third parties from accessing, sharing, or linking to the stolen dataset, and said an 0800 helpline was in progress.

    What Data Or Systems Were Affected

    Manage My Health said the activity focused on a specific group of documents within its system, tied to its documents module, rather than the full portal. It said appointment, prescription, and health record functions were not accessed.

    Public reporting has described the exposed material as private health documents, but detailed categories of data (for example, lab reports, referral letters, imaging results, or IDs) have not been fully published in official statements as of January 6, 2026. The company has said it is still confirming the exact documents involved through forensic work.

    Who Was Responsible (Confirmed vs Alleged)

    Manage My Health has not named an intruder. It has said attribution remains for law enforcement and forensic investigation.

    New Zealand media reported that a cybercrime group calling itself “Kazu” claimed the attack and issued an extortion demand, including a reported $60,000 deadline and claims about the amount of data and number of files. Those claims have not been confirmed in the company’s public updates.

    How The Attack Worked 

    The company has not published a full technical root cause. It has said “specific gaps” in code allowed access to documents, and it said those gaps were closed and validated through external testing.

    Separate reporting cited security concerns raised by outside experts, including claims about outdated encryption. Those statements represent third-party commentary, and they have not been adopted as official findings in the company’s updates.

    Company Response And Customer Remediation

    Manage My Health said it notified the Office of the Privacy Commissioner, Health New Zealand, and New Zealand Police, and it has described ongoing coordination with those agencies while forensic work continues.

    On January 6, it said it was working through Privacy Act notifications for each affected individual, coordinating with Health New Zealand and general practices to avoid conflicting or duplicate messages. It also said practices can access a list of affected patients and the records accessed through a secure provider portal, and it said an 0800 helpline would provide advice and support.

    Government, Law Enforcement, And Regulator Actions

    Health New Zealand said its own systems were not affected and it activated an incident management response, with coordination across government agencies including the National Cyber Security Centre and the Police Cyber Crime Unit.

    New Zealand’s health minister, Simeon Brown, said the breach was “incredibly concerning” and ordered a review into the incident and response, according to reporting from The Register and local outlets.

    Manage My Health said it obtained interim High Court injunction orders intended to restrict access to and distribution of the stolen dataset, and to require deletion and takedowns where possible.

    Beyond legal action and response costs, wider financial impact remains unclear in public reporting as of January 6, 2026. No publicly confirmed fines, settlements, or class actions have surfaced in the sources reviewed, though the government review and privacy processes can raise compliance and operating costs over time.

    What Remains Unclear

    • The exact number of affected people remains a range rather than a final count.
    • The company said forensic work is still validating the full scope of the incident.
    • It remains unclear whether any data was exfiltrated or only viewed.
    • The specific document types accessed across the affected set have not been confirmed.
    • It is not confirmed whether any stolen files have been posted publicly.
    • Extortion claims reported in local media remain unverified in official updates.

    Why This Incident Matters

    Health portals concentrate high-sensitivity data, and even partial access can create long-lived harm, such as targeted scams, blackmail attempts, and identity abuse that draws on medical context. The Manage My Health case also highlights how a single module can become a high-impact failure point at national scale.

    The response also shows how healthcare breaches can trigger multi-agency coordination, court action, and sector-wide scrutiny, even when core systems remain available. That combination raises the stakes for security testing, incident response readiness, and clear patient communications.

    How Bright Defense Can Help

    A patient-portal breach like the Manage My Health incident signals how fast a single exposed feature can put sensitive documents in the hands of an attacker. Incidents like this can affect other companies, especially anyone that stores user-uploaded files, clinical attachments, or identity documents. 

    Bright Defense can help you reduce that risk with penetration testing focused on authentication, authorization, and file access controls. If you want a practical view of what an attacker can reach, request a penetration test from Bright Defense and get a clear remediation plan that matches your environment and threat model.

    Read About More Breaches Here!

    Sources

    1. Manage My Health – MMH cyber breach update 6 January 2026 (January 6, 2026)
      https://managemyhealth.co.nz/mmh-cyber-breach-update-6-january-2026/
    2. RNZ – ManageMyHealth confirms cyber breach (December 31, 2025)
      https://www.rnz.co.nz/news/national/582969/managemyhealth-confirms-cyber-breach
    3. Newstalk ZB – Up to 126,000 ManageMyHealth users believed to be affected by cyber data breach (January 1, 2026)
      https://www.newstalkzb.co.nz/news/crime/managemyhealth-data-breach-what-we-know-as-up-to-126-000-possible-users-affected/
    4. The Register – New Zealand orders review into ManageMyHealth cyberattack (January 5, 2026)
      https://www.theregister.com/2026/01/05/nz_managemyhealth_breach_review/
    5. Healthcare IT News – 126,000 affected by IT hack on patient portal Manage My Health (January 4, 2026)
      https://www.healthcareitnews.com/news/anz/126000-affected-it-hack-patient-portal-manage-my-health
    6. Manage My Health – FAQs – Cyber Breach (accessed January 6, 2026)
      https://managemyhealth.co.nz/faqs-cyber-breach/
    7. NZ Herald – ManageMyHealth data breach: What we know as up to 126,000 possible users affected (January 1, 2026)
      https://www.nzherald.co.nz/nz/managemyhealth-data-breach-what-we-know-as-up-to-126000-possible-users-affected/RPQ3OA33Y5D3ZAVKI4PWDUN42E/

    Recent Posts

    Google Kills Dark Web Monitoring After User Backlash

    2.3M WIRED Subscribers Exposed in Condé Nast Leak

    Spotify Data Leak Panic: 256M Tracks Exposed

    Contact us

    Tamzid | Cybersecurity Writer

    Tamzid brings 5+ years of specialized writing experience across SaaS, cybersecurity, compliance, and blockchain. He’s skilled at simplifying complex concepts without losing depth. He follows the latest cybersecurity compliance updates and brings readers practical insights they can trust and keeps them ahead of the curve.

    Get In Touch

      Group 1298 (1)-min