Attackers behind the ransomware incident at New Zealand health portal Manage My Health (MMH) have set a new deadline for ransom negotiations and continue to publish messages online, while the company’s operational and legal response progresses.
The group, which targeted MMH on Dec. 30 and accessed personal health documents for about 120,000 people, initially demanded US$60,000 (about NZ$104,000). Over the weekend, they began posting sensitive files on the dark web and said they would release “everything they have” if payment was not made within 48 hours, according to Stuff’s report. That timeline expired at 5:37am on Jan. 6. The group has since stated it has entered discussions with MMH and would “not share the files during the communication period,” and set a new deadline of 5am on Jan. 9 for a potential resolution. MMH has not said whether it will pay the ransom.
Shortly after the original deadline passed, the hackers published a message on encrypted messaging platform Telegram at 11am New Zealand time stating: “Free Nicolás Maduro.” The reference was to Venezuela’s former leader, who recently appeared in a New York court on drug and weapons charges and pleaded not guilty after his capture by US forces. In a later message, the group claimed to be operating from Cuba and described the attack as financially motivated rather than political.
In a Jan. 6 update, MMH said an independent forensic investigation found that the incident was confined to the “My Health Documents” module of the platform. The company reported that approximately 6% to 7% of its 1.8 million registered users of that module had documents accessed in the breach. MMH said data within the portal’s core module – including appointments, prescriptions, and information in the Health Record function – had not been accessed. External specialists reported no evidence of unauthorised access to those core functions.
The company has begun direct communication with general practices using the platform. On Jan. 5, it notified an initial set of both affected and unaffected practices, advising that some patients linked to certain practices had documents accessed. MMH is providing materials practices can use when responding to patient queries. Practices can review a list of impacted patients and the documents accessed via the MMH Provider Portal. MMH has recommended that practices identify any patients they consider vulnerable before notifications are issued, so additional support can be arranged where needed. The company has also switched on an in-app feature that indicates whether a practice has been affected, and is developing a process to reach practices that no longer use MMH.
MMH is working with Health New Zealand and the Office of the Privacy Commissioner on its obligations under the Privacy Act, which requires individuals to be notified when their information has been accessed without authorisation. The company has said it will handle Privacy Act notifications on behalf of practices. Notifications will be sent through the MMH system, including information on how affected individuals can obtain further details and assistance. Practices will receive the same content so they can respond to patients after notifications are issued.
MMH plans to introduce an 0800 helpline for patients whose information was accessed, providing a central channel for advice about the incident. Practices will be advised once the helpline is operating. Additional features in the app are expected to allow users to check whether any of their documents were involved. Chief executive Vino Ramayah has acknowledged responsibility for the security failure and indicated he may be prepared to step aside once the immediate response phase is over. “That’s something for after the dust settles, whether I’m the current or continue to be the CEO. I’m not unprepared to step down if there’s a better person who can do a better job than I did,” Ramayah told RNZ.
MMH has obtained interim injunctions from the High Court intended to restrict further use and distribution of the stolen data. The orders prohibit third parties from accessing or dealing with the compromised information, require those holding the data or derived information to delete it, and direct the removal of any publications or links to copies of the dataset. The company is seeking formal sealed versions of the orders. It has said it is working with authorities and relevant agencies on the ongoing response and has apologised to providers and patients for the “pain and anxiety” caused by the incident.
The MMH case is unfolding against a backdrop of high cyber incident rates in Australia and New Zealand. A global study commissioned by security vendor Arctic Wolf found that 85% of surveyed organisations in Australia and New Zealand reported at least one cyber incident in the previous year, compared with 76% of respondents globally. Nearly three-quarters of local organisations that received ransomware demands said they paid at least one ransom to prevent data exposure, and 91% of those payers used external negotiators. Fewer than half reported securing a reduction in the initial ransom demand.
For cyber underwriters and intermediaries, these patterns – combined with the MMH breach’s regulatory, legal, and notification dimensions – are likely to factor into ongoing adjustments to pricing, coverage terms, and sublimits. Areas of particular focus include extortion cover, business interruption, incident response and legal costs, and data governance expectations for healthcare and other sectors that handle sensitive personal information at scale.
